sveltekit-auth-example 5.8.3 → 5.8.5

package/.prettierignore

@@ -4,6 +4,7 @@
 .yarn
 node_modules
 coverage
+build
 .env
 !.env.example
 yarn.lock

package/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 - Add password complexity checking on /register and /profile pages (only checks for length currently despite what the pages say)
 
+# 5.8.5
+
+- Fix lint errors
+
+# 5.8.4
+
+- Fix README: replace outdated SendGrid references with Brevo; update env var names (`BREVO_KEY`, `EMAIL`) and source file paths
+
 # 5.8.3
 
 - Add unit tests for all auth route handlers: `/auth/[slug]`, `/auth/forgot`, `/auth/google`, `/auth/login`, `/auth/logout`, `/auth/mfa`, `/auth/register`, `/auth/reset`, `/auth/verify/[token]`

package/README.md

@@ -118,4 +118,4 @@ The website supports two types of authentication:
 
 > There is some overhead to checking the user session in a database each time versus using a JWT; however, validating each request avoids problems discussed in [this article](https://redis.com/blog/json-web-tokens-jwt-are-dangerous-for-user-sessions/). For a high-volume website, I would use Redis or the equivalent.
 
-The forgot password / password reset functionality uses a JWT and [**SendGrid**](https://www.sendgrid.com) to send the email. You would need to have a **SendGrid** account and set two environmental variables. Email sending is in /src/routes/auth/forgot/+server.ts. This code could easily be replaced by nodemailer or something similar. Note: I have no affiliation with **SendGrid** (used their API in another project).
+The forgot password / password reset functionality uses a JWT and [**Brevo**](https://brevo.com) to send the email. You would need to have a **Brevo** account and set the `BREVO_KEY` and `EMAIL` environment variables (see setup instructions above). Email sending is in `src/lib/server/brevo.ts` and the email templates are in `src/lib/server/email/`. This code could easily be replaced by nodemailer or something similar.

package/eslint.config.mjs

@@ -27,7 +27,18 @@ export default defineConfig(
 		rules: {
 			// typescript-eslint strongly recommend that you do not use the no-undef lint rule on TypeScript projects.
 			// see: https://typescript-eslint.io/troubleshooting/faqs/eslint/#i-get-errors-from-the-no-undef-rule-about-global-variables-not-being-defined-even-though-there-are-no-typescript-errors
-			'no-undef': 'off'
+			'no-undef': 'off',
+			// Standard SvelteKit patterns (goto(), hrefs) don't need resolve()
+			'svelte/no-navigation-without-resolve': 'off',
+			// Allow underscore-prefixed names as conventional "discard" variables
+			'@typescript-eslint/no-unused-vars': [
+				'error',
+				{
+					argsIgnorePattern: '^_',
+					varsIgnorePattern: '^_',
+					caughtErrorsIgnorePattern: '^_'
+				}
+			]
 		}
 	},
 	{
@@ -44,5 +55,12 @@ export default defineConfig(
 			'svelte/no-at-html-tags': 'warn',
 			'svelte/require-each-key': 'warn'
 		}
+	},
+	{
+		// Test files routinely need `as any` to mock typed return values
+		files: ['**/*.unit.test.ts'],
+		rules: {
+			'@typescript-eslint/no-explicit-any': 'off'
+		}
 	}
 )

package/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "sveltekit-auth-example",
 	"description": "SvelteKit Authentication Example",
-	"version": "5.8.3",
+	"version": "5.8.5",
 	"author": "Nate Stuyvesant",
 	"license": "https://github.com/nstuyvesant/sveltekit-auth-example/blob/master/LICENSE",
 	"repository": {
@@ -44,6 +44,7 @@
 		"pg": "^8.20.0"
 	},
 	"devDependencies": {
+		"@eslint/compat": "^1.0.3",
 		"@eslint/js": "^10.0.1",
 		"@playwright/test": "^1.58.2",
 		"@sveltejs/adapter-node": "^5.5.4",

package/src/app.d.ts

@@ -1,5 +1,3 @@
-/* eslint-disable @typescript-eslint/no-explicit-any */
-
 // See https://kit.svelte.dev/docs/types#app
 // for information about these interfaces
 // and what to do when importing types

package/src/hooks.server.unit.test.ts

@@ -1,5 +1,4 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest'
-import { error } from '@sveltejs/kit'
 
 vi.mock('$lib/server/db', () => ({ query: vi.fn() }))
 
@@ -28,7 +27,7 @@ function makeEvent({
 	} as unknown as Parameters<typeof handle>[0]['event']
 }
 
-const resolve = vi.fn(async (event: unknown) => new Response('ok', { status: 200 }))
+const resolve = vi.fn(async (_event: unknown) => new Response('ok', { status: 200 }))
 
 beforeEach(() => {
 	vi.resetAllMocks()

package/src/lib/Turnstile.svelte

@@ -7,6 +7,7 @@
 		theme?: 'light' | 'dark' | 'auto'
 	}
 
+	// eslint-disable-next-line no-useless-assignment
 	let { token = $bindable(''), theme = 'auto' }: Props = $props()
 
 	let container: HTMLDivElement | undefined = $state()

package/src/lib/app-state.svelte.unit.test.ts

@@ -31,8 +31,7 @@ describe('appState', () => {
 				email: 'admin@example.com',
 				firstName: 'Jane',
 				lastName: 'Doe',
-				phone: '412-555-1212',
-				optOut: false
+				phone: '412-555-1212'
 			}
 
 			appState.user = user
@@ -41,7 +40,14 @@ describe('appState', () => {
 		})
 
 		it('can be cleared back to undefined', () => {
-			appState.user = { id: 1, role: 'student', email: 'a@b.com', firstName: 'A', lastName: 'B', phone: '', optOut: false }
+			appState.user = {
+				id: 1,
+				role: 'student',
+				email: 'a@b.com',
+				firstName: 'A',
+				lastName: 'B',
+				phone: ''
+			}
 			appState.user = undefined
 			expect(appState.user).toBeUndefined()
 		})
@@ -51,7 +57,11 @@ describe('appState', () => {
 		it('can be updated to show a notification', () => {
 			appState.toast = { title: 'Success', body: 'Your changes were saved.', isOpen: true }
 
-			expect(appState.toast).toEqual({ title: 'Success', body: 'Your changes were saved.', isOpen: true })
+			expect(appState.toast).toEqual({
+				title: 'Success',
+				body: 'Your changes were saved.',
+				isOpen: true
+			})
 		})
 
 		it('isOpen can be toggled independently', () => {

package/src/lib/fetch-interceptor.unit.test.ts

@@ -24,7 +24,14 @@ describe('setupFetchInterceptor', () => {
 		// Save and restore window.fetch around each test
 		originalFetch = window.fetch
 		mockGoto.mockReset()
-		appState.user = { id: 1, role: 'admin', email: 'a@b.com', firstName: 'A', lastName: 'B', phone: '', optOut: false }
+		appState.user = {
+			id: 1,
+			role: 'admin',
+			email: 'a@b.com',
+			firstName: 'A',
+			lastName: 'B',
+			phone: ''
+		}
 		setupFetchInterceptor()
 	})
 

package/src/lib/focus.ts

@@ -7,7 +7,7 @@
  * @param form - The form element to search for invalid inputs.
  */
 export const focusOnFirstError = (form: HTMLFormElement) => {
-	for (const field of form.elements) {
+	for (const field of Array.from(form.elements)) {
 		if (field instanceof HTMLInputElement && !field.checkValidity()) {
 			field.focus()
 			break

package/src/lib/google.unit.test.ts

@@ -2,7 +2,9 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
 
 vi.mock('$env/static/public', () => ({ PUBLIC_GOOGLE_CLIENT_ID: 'test-client-id' }))
-vi.mock('$lib/app-state.svelte', () => ({ appState: { googleInitialized: false, user: undefined } }))
+vi.mock('$lib/app-state.svelte', () => ({
+	appState: { googleInitialized: false, user: undefined }
+}))
 vi.mock('$lib/auth-redirect', () => ({ redirectAfterLogin: vi.fn() }))
 
 import { renderGoogleButton, initializeGoogleAccounts } from './google'
@@ -47,11 +49,14 @@ describe('renderGoogleButton', () => {
 		renderGoogleButton()
 
 		expect(mock.renderButton).toHaveBeenCalledOnce()
-		expect(mock.renderButton).toHaveBeenCalledWith(btn, expect.objectContaining({
-			type: 'standard',
-			theme: 'outline',
-			size: 'large'
-		}))
+		expect(mock.renderButton).toHaveBeenCalledWith(
+			btn,
+			expect.objectContaining({
+				type: 'standard',
+				theme: 'outline',
+				size: 'large'
+			})
+		)
 	})
 
 	it('falls back to 400 when the button has no width', () => {
@@ -118,9 +123,11 @@ describe('initializeGoogleAccounts', () => {
 		initializeGoogleAccounts()
 
 		expect(mock.initialize).toHaveBeenCalledOnce()
-		expect(mock.initialize).toHaveBeenCalledWith(expect.objectContaining({
-			client_id: 'test-client-id'
-		}))
+		expect(mock.initialize).toHaveBeenCalledWith(
+			expect.objectContaining({
+				client_id: 'test-client-id'
+			})
+		)
 	})
 
 	it('sets appState.googleInitialized to true', () => {
@@ -153,19 +160,20 @@ describe('initializeGoogleAccounts', () => {
 		const { callback } = mock.initialize.mock.calls[0][0]
 		await callback({ credential: 'test-credential' })
 
-		expect(fetch).toHaveBeenCalledWith('/auth/google', expect.objectContaining({
-			method: 'POST',
-			body: JSON.stringify({ token: 'test-credential' })
-		}))
+		expect(fetch).toHaveBeenCalledWith(
+			'/auth/google',
+			expect.objectContaining({
+				method: 'POST',
+				body: JSON.stringify({ token: 'test-credential' })
+			})
+		)
 		expect(appState.user).toEqual(user)
 		expect(mockRedirectAfterLogin).toHaveBeenCalledWith(user)
 	})
 
 	it('callback does not update state when the response is not ok', async () => {
 		const mock = installGoogleMock()
-		vi.spyOn(globalThis, 'fetch').mockResolvedValue(
-			new Response(null, { status: 401 })
-		)
+		vi.spyOn(globalThis, 'fetch').mockResolvedValue(new Response(null, { status: 401 }))
 
 		initializeGoogleAccounts()
 

package/src/lib/server/brevo.unit.test.ts

@@ -32,6 +32,7 @@ describe('sendMessage', () => {
 	it('throws if BREVO_KEY is missing', async () => {
 		vi.doMock('$env/dynamic/private', () => ({ env: {} }))
 		// Re-import to pick up the new mock
+		// @ts-expect-error Vite query string not recognized by tsc
 		const { sendMessage: sm } = await import('./brevo?nocache-1')
 		await expect(sm(validMessage)).rejects.toThrow('Brevo API key is missing')
 	})
@@ -160,7 +161,9 @@ describe('sendMessage', () => {
 		vi.useFakeTimers()
 		vi.spyOn(globalThis, 'fetch').mockRejectedValue(new TypeError('Network failure'))
 
-		const rejection = expect(sendMessage(validMessage)).rejects.toThrow('Failed to send email after retries')
+		const rejection = expect(sendMessage(validMessage)).rejects.toThrow(
+			'Failed to send email after retries'
+		)
 		await vi.runAllTimersAsync()
 		await rejection
 		vi.useRealTimers()

package/src/lib/server/db.ts

@@ -16,8 +16,6 @@ type QueryFunction = <T extends QueryResultRow>(
 	name?: string
 ) => Promise<QueryResult<T>>
 
-let queryFn: QueryFunction
-
 const pool = new pg.Pool({
 	max: 10, // default
 	idleTimeoutMillis: 10000,
@@ -39,7 +37,7 @@ pool.on('error', (err: Error) => {
  * @param name - Optional name for the query to use a prepared statement.
  * @returns A promise resolving to the typed QueryResult.
  */
-queryFn = <T extends QueryResultRow>(
+const queryFn: QueryFunction = <T extends QueryResultRow>(
 	sql: string,
 	params?: (string | number | boolean | object | null)[],
 	name?: string
@@ -71,7 +69,7 @@ queryFn = <T extends QueryResultRow>(
  * );
  * ```
  */
-export const query = <T extends QueryResultRow = any>(
+export const query = <T extends QueryResultRow = QueryResultRow>(
 	sql: string,
 	params?: (string | number | boolean | object | null)[],
 	name?: string

package/src/lib/server/db.unit.test.ts

@@ -38,7 +38,10 @@ describe('query', () => {
 		await query('SELECT $1::text AS val', ['hello'])
 
 		expect(mockPoolQuery).toHaveBeenCalledOnce()
-		expect(mockPoolQuery).toHaveBeenCalledWith({ text: 'SELECT $1::text AS val', values: ['hello'] })
+		expect(mockPoolQuery).toHaveBeenCalledWith({
+			text: 'SELECT $1::text AS val',
+			values: ['hello']
+		})
 	})
 
 	it('passes SQL without params to pool.query', async () => {

package/src/lib/server/email/password-reset.unit.test.ts

@@ -1,6 +1,8 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest'
 
-vi.mock('$env/dynamic/private', () => ({ env: { EMAIL: 'no-reply@example.com', DOMAIN: 'https://example.com' } }))
+vi.mock('$env/dynamic/private', () => ({
+	env: { EMAIL: 'no-reply@example.com', DOMAIN: 'https://example.com' }
+}))
 
 vi.mock('$lib/server/brevo', () => ({ sendMessage: vi.fn() }))
 

package/src/lib/server/email/verify-email.unit.test.ts

@@ -1,6 +1,8 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest'
 
-vi.mock('$env/dynamic/private', () => ({ env: { EMAIL: 'no-reply@example.com', DOMAIN: 'https://example.com' } }))
+vi.mock('$env/dynamic/private', () => ({
+	env: { EMAIL: 'no-reply@example.com', DOMAIN: 'https://example.com' }
+}))
 
 vi.mock('$lib/server/brevo', () => ({ sendMessage: vi.fn() }))
 

package/src/lib/server/turnstile.unit.test.ts

@@ -94,10 +94,7 @@ describe('verifyTurnstileToken', () => {
 		const result = await verifyTurnstileToken('some-token')
 
 		expect(result).toBe(false)
-		expect(consoleSpy).toHaveBeenCalledWith(
-			'Turnstile verification error:',
-			expect.any(Error)
-		)
+		expect(consoleSpy).toHaveBeenCalledWith('Turnstile verification error:', expect.any(Error))
 	})
 
 	it('returns false when the response body is not valid JSON', async () => {

package/src/routes/api/v1/user/+server.ts

@@ -20,7 +20,7 @@ export const PUT: RequestHandler = async event => {
 	try {
 		const userUpdate = await event.request.json()
 		await query(`CALL update_user($1, $2);`, [user.id, JSON.stringify(userUpdate)])
-	} catch (err) {
+	} catch {
 		error(503, 'Could not communicate with database.')
 	}
 

package/src/routes/api/v1/user/{+server.unit.test.ts → server.unit.test.ts}

@@ -9,10 +9,7 @@ const mockQuery = vi.mocked(query)
 
 const adminUser: UserProperties = { id: 42, role: 'admin', email: 'admin@example.com' }
 
-function makeEvent({
-	noUser = false,
-	body = {} as unknown
-} = {}) {
+function makeEvent({ noUser = false, body = {} as unknown } = {}) {
 	return {
 		locals: { user: noUser ? undefined : adminUser },
 		request: { json: vi.fn().mockResolvedValue(body) },
@@ -43,10 +40,10 @@ describe('PUT /api/v1/user', () => {
 
 		await PUT(makeEvent({ body: update }))
 
-		expect(mockQuery).toHaveBeenCalledWith(
-			expect.stringContaining('update_user'),
-			[adminUser.id, JSON.stringify(update)]
-		)
+		expect(mockQuery).toHaveBeenCalledWith(expect.stringContaining('update_user'), [
+			adminUser.id,
+			JSON.stringify(update)
+		])
 	})
 
 	it('throws 401 when user is not authenticated', async () => {
@@ -78,10 +75,7 @@ describe('DELETE /api/v1/user', () => {
 
 		await DELETE(makeEvent())
 
-		expect(mockQuery).toHaveBeenCalledWith(
-			expect.stringContaining('delete_user'),
-			[adminUser.id]
-		)
+		expect(mockQuery).toHaveBeenCalledWith(expect.stringContaining('delete_user'), [adminUser.id])
 	})
 
 	it('deletes the session cookie on success', async () => {
@@ -107,7 +101,7 @@ describe('DELETE /api/v1/user', () => {
 		mockQuery.mockRejectedValue(new Error('db down'))
 		const event = makeEvent()
 
-		await DELETE(event).catch(() => {})
+		await Promise.resolve(DELETE(event)).catch(() => {})
 
 		expect(event.cookies.delete).not.toHaveBeenCalled()
 	})

package/src/routes/auth/forgot/{+server.unit.test.ts → server.unit.test.ts}

@@ -17,7 +17,9 @@ const mockVerifyTurnstileToken = vi.mocked(verifyTurnstileToken)
 function makeEvent(body: Record<string, unknown> = {}) {
 	return {
 		request: {
-			json: vi.fn().mockResolvedValue({ turnstileToken: 'tok', email: 'user@example.com', ...body }),
+			json: vi
+				.fn()
+				.mockResolvedValue({ turnstileToken: 'tok', email: 'user@example.com', ...body }),
 			headers: { get: vi.fn().mockReturnValue(null) }
 		},
 		getClientAddress: vi.fn().mockReturnValue('127.0.0.1')

package/src/routes/auth/google/{+server.unit.test.ts → server.unit.test.ts}

@@ -13,7 +13,13 @@ import { OAuth2Client } from 'google-auth-library'
 const mockQuery = vi.mocked(query)
 const MockOAuth2Client = vi.mocked(OAuth2Client)
 
-const mockUser: User = { id: 1, email: 'jane@example.com', firstName: 'Jane', lastName: 'Doe', role: 'user' }
+const mockUser: UserProperties = {
+	id: 1,
+	email: 'jane@example.com',
+	firstName: 'Jane',
+	lastName: 'Doe',
+	role: 'student'
+}
 const mockUserSession: UserSession = { id: 'session-abc', user: mockUser }
 
 function makeVerifyIdToken(payload: Record<string, unknown> | null) {
@@ -23,7 +29,7 @@ function makeVerifyIdToken(payload: Record<string, unknown> | null) {
 function setupOAuth2Mock(verifyIdToken: ReturnType<typeof vi.fn>) {
 	MockOAuth2Client.mockImplementation(function () {
 		return { verifyIdToken }
-	} as unknown as new (clientId: string) => OAuth2Client)
+	} as any)
 }
 
 function makeEvent(body: Record<string, unknown> = { token: 'google-jwt' }) {
@@ -40,7 +46,9 @@ beforeEach(() => {
 
 describe('POST /auth/google', () => {
 	it('returns 200 with user data on successful sign-in', async () => {
-		setupOAuth2Mock(makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' }))
+		setupOAuth2Mock(
+			makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' })
+		)
 		mockQuery.mockResolvedValue({ rows: [{ user_session: mockUserSession }] } as any)
 
 		const res = await POST(makeEvent())
@@ -52,22 +60,30 @@ describe('POST /auth/google', () => {
 	})
 
 	it('sets an httpOnly session cookie on success', async () => {
-		setupOAuth2Mock(makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' }))
+		setupOAuth2Mock(
+			makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' })
+		)
 		mockQuery.mockResolvedValue({ rows: [{ user_session: mockUserSession }] } as any)
 		const event = makeEvent()
 
 		await POST(event)
 
-		expect(event.cookies.set).toHaveBeenCalledWith('session', 'session-abc', expect.objectContaining({
-			httpOnly: true,
-			sameSite: 'lax',
-			secure: true,
-			path: '/'
-		}))
+		expect(event.cookies.set).toHaveBeenCalledWith(
+			'session',
+			'session-abc',
+			expect.objectContaining({
+				httpOnly: true,
+				sameSite: 'lax',
+				secure: true,
+				path: '/'
+			})
+		)
 	})
 
 	it('sets event.locals.user on success', async () => {
-		setupOAuth2Mock(makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' }))
+		setupOAuth2Mock(
+			makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' })
+		)
 		mockQuery.mockResolvedValue({ rows: [{ user_session: mockUserSession }] } as any)
 		const event = makeEvent()
 
@@ -77,7 +93,11 @@ describe('POST /auth/google', () => {
 	})
 
 	it('uses PUBLIC_GOOGLE_CLIENT_ID when verifying the token', async () => {
-		const verifyIdToken = makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' })
+		const verifyIdToken = makeVerifyIdToken({
+			given_name: 'Jane',
+			family_name: 'Doe',
+			email: 'jane@example.com'
+		})
 		setupOAuth2Mock(verifyIdToken)
 		mockQuery.mockResolvedValue({ rows: [{ user_session: mockUserSession }] } as any)
 
@@ -88,15 +108,16 @@ describe('POST /auth/google', () => {
 	})
 
 	it('passes the Google user data to the DB upsert', async () => {
-		setupOAuth2Mock(makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' }))
+		setupOAuth2Mock(
+			makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' })
+		)
 		mockQuery.mockResolvedValue({ rows: [{ user_session: mockUserSession }] } as any)
 
 		await POST(makeEvent())
 
-		expect(mockQuery).toHaveBeenCalledWith(
-			expect.stringContaining('start_gmail_user_session'),
-			[JSON.stringify({ firstName: 'Jane', lastName: 'Doe', email: 'jane@example.com' })]
-		)
+		expect(mockQuery).toHaveBeenCalledWith(expect.stringContaining('start_gmail_user_session'), [
+			JSON.stringify({ firstName: 'Jane', lastName: 'Doe', email: 'jane@example.com' })
+		])
 	})
 
 	it('falls back to placeholder names when given_name/family_name are missing', async () => {
@@ -105,10 +126,13 @@ describe('POST /auth/google', () => {
 
 		await POST(makeEvent())
 
-		expect(mockQuery).toHaveBeenCalledWith(
-			expect.any(String),
-			[JSON.stringify({ firstName: 'UnknownFirstName', lastName: 'UnknownLastName', email: 'noname@example.com' })]
-		)
+		expect(mockQuery).toHaveBeenCalledWith(expect.any(String), [
+			JSON.stringify({
+				firstName: 'UnknownFirstName',
+				lastName: 'UnknownLastName',
+				email: 'noname@example.com'
+			})
+		])
 	})
 
 	it('throws 401 when the Google token is invalid', async () => {
@@ -118,7 +142,9 @@ describe('POST /auth/google', () => {
 	})
 
 	it('throws 401 when the DB upsert fails', async () => {
-		setupOAuth2Mock(makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' }))
+		setupOAuth2Mock(
+			makeVerifyIdToken({ given_name: 'Jane', family_name: 'Doe', email: 'jane@example.com' })
+		)
 		mockQuery.mockRejectedValue(new Error('db error'))
 
 		await expect(POST(makeEvent())).rejects.toMatchObject({ status: 401 })

package/src/routes/auth/login/+server.ts

@@ -69,7 +69,7 @@ export const POST: RequestHandler = async event => {
 		error(503, 'Could not communicate with database.')
 	}
 
-	const { authenticationResult }: { authenticationResult: AuthenticationResult } = result.rows[0]
+	const { authenticationResult } = result.rows[0] as { authenticationResult: AuthenticationResult }
 
 	if (!authenticationResult.user) {
 		// Track failed attempt for lockout

package/src/routes/auth/login/{+server.unit.test.ts → server.unit.test.ts}

@@ -15,7 +15,13 @@ const mockQuery = vi.mocked(query)
 const mockSendMfaCodeEmail = vi.mocked(sendMfaCodeEmail)
 const mockVerifyTurnstileToken = vi.mocked(verifyTurnstileToken)
 
-const mockUser: User = { id: 7, email: 'user@example.com', firstName: 'Jane', lastName: 'Doe', role: 'user' }
+const mockUser: UserProperties = {
+	id: 7,
+	email: 'user@example.com',
+	firstName: 'Jane',
+	lastName: 'Doe',
+	role: 'student'
+}
 
 const successResult: AuthenticationResult = {
 	user: mockUser,
@@ -32,7 +38,10 @@ const failResult: AuthenticationResult = {
 }
 
 function makeEvent({
-	body = { email: 'user@example.com', password: 'Password1!', turnstileToken: 'tok' } as Record<string, unknown>,
+	body = { email: 'user@example.com', password: 'Password1!', turnstileToken: 'tok' } as Record<
+		string,
+		unknown
+	>,
 	mfaTrustedCookie = undefined as string | undefined
 } = {}) {
 	return {
@@ -61,8 +70,8 @@ describe('POST /auth/login — MFA flow', () => {
 	beforeEach(() => {
 		mockQuery
 			.mockResolvedValueOnce({ rows: [{ authenticationResult: successResult }] } as any) // authenticate
-			.mockResolvedValueOnce({ rows: [] } as any)                                         // delete_session
-			.mockResolvedValueOnce({ rows: [{ code: '123456' }] } as any)                       // create_mfa_code
+			.mockResolvedValueOnce({ rows: [] } as any) // delete_session
+			.mockResolvedValueOnce({ rows: [{ code: '123456' }] } as any) // create_mfa_code
 	})
 
 	it('returns { mfaRequired: true } when no trusted cookie is present', async () => {
@@ -114,12 +123,16 @@ describe('POST /auth/login — MFA trusted device', () => {
 
 		await POST(event)
 
-		expect(event.cookies.set).toHaveBeenCalledWith('session', 'sess-123', expect.objectContaining({
-			httpOnly: true,
-			sameSite: 'lax',
-			secure: true,
-			path: '/'
-		}))
+		expect(event.cookies.set).toHaveBeenCalledWith(
+			'session',
+			'sess-123',
+			expect.objectContaining({
+				httpOnly: true,
+				sameSite: 'lax',
+				secure: true,
+				path: '/'
+			})
+		)
 	})
 
 	it('sets event.locals.user when the trusted cookie is valid', async () => {
@@ -145,7 +158,9 @@ describe('POST /auth/login — MFA trusted device', () => {
 	})
 
 	it('falls through to MFA and deletes cookie when trusted token is expired', async () => {
-		const expiredToken = jwt.sign({ userId: mockUser.id, purpose: 'mfa-trusted' }, 'test-secret', { expiresIn: -1 })
+		const expiredToken = jwt.sign({ userId: mockUser.id, purpose: 'mfa-trusted' }, 'test-secret', {
+			expiresIn: -1
+		})
 		mockQuery
 			.mockResolvedValueOnce({ rows: [{ authenticationResult: successResult }] } as any)
 			.mockResolvedValueOnce({ rows: [] } as any)
@@ -195,18 +210,34 @@ describe('POST /auth/login — brute-force lockout', () => {
 
 		// 5 failures to trigger lockout
 		for (let i = 0; i < 5; i++) {
-			await POST(makeEvent({ body: { email: 'lockout@example.com', password: 'wrong', turnstileToken: 'tok' } })).catch(() => {})
+			await Promise.resolve(
+				POST(
+					makeEvent({
+						body: { email: 'lockout@example.com', password: 'wrong', turnstileToken: 'tok' }
+					})
+				)
+			).catch(() => {})
 		}
 
 		await expect(
-			POST(makeEvent({ body: { email: 'lockout@example.com', password: 'wrong', turnstileToken: 'tok' } }))
+			POST(
+				makeEvent({
+					body: { email: 'lockout@example.com', password: 'wrong', turnstileToken: 'tok' }
+				})
+			)
 		).rejects.toMatchObject({ status: 429 })
 	})
 
 	it('clears the lockout tracker on successful login', async () => {
 		// Register a failed attempt first
 		mockQuery.mockResolvedValueOnce({ rows: [{ authenticationResult: failResult }] } as any)
-		await POST(makeEvent({ body: { email: 'clear@example.com', password: 'wrong', turnstileToken: 'tok' } })).catch(() => {})
+		await Promise.resolve(
+			POST(
+				makeEvent({
+					body: { email: 'clear@example.com', password: 'wrong', turnstileToken: 'tok' }
+				})
+			)
+		).catch(() => {})
 
 		// Then succeed — mfa flow needs 3 query responses
 		mockQuery
@@ -215,7 +246,11 @@ describe('POST /auth/login — brute-force lockout', () => {
 			.mockResolvedValueOnce({ rows: [{ code: '000000' }] } as any)
 
 		// Should not throw 429
-		const res = await POST(makeEvent({ body: { email: 'clear@example.com', password: 'Password1!', turnstileToken: 'tok' } }))
+		const res = await POST(
+			makeEvent({
+				body: { email: 'clear@example.com', password: 'Password1!', turnstileToken: 'tok' }
+			})
+		)
 		expect((await res.json()).mfaRequired).toBe(true)
 	})
 })

package/src/routes/auth/logout/{+server.unit.test.ts → server.unit.test.ts}

@@ -7,7 +7,13 @@ import { query } from '$lib/server/db'
 
 const mockQuery = vi.mocked(query)
 
-const mockUser: User = { id: 3, email: 'user@example.com', firstName: 'Jane', lastName: 'Doe', role: 'user' }
+const mockUser: UserProperties = {
+	id: 3,
+	email: 'user@example.com',
+	firstName: 'Jane',
+	lastName: 'Doe',
+	role: 'student'
+}
 
 function makeEvent({ noUser = false } = {}) {
 	return {
@@ -44,10 +50,7 @@ describe('POST /auth/logout', () => {
 
 		await POST(makeEvent())
 
-		expect(mockQuery).toHaveBeenCalledWith(
-			expect.stringContaining('delete_session'),
-			[mockUser.id]
-		)
+		expect(mockQuery).toHaveBeenCalledWith(expect.stringContaining('delete_session'), [mockUser.id])
 	})
 
 	it('skips the DB call when no user is authenticated', async () => {

package/src/routes/auth/mfa/{+server.unit.test.ts → server.unit.test.ts}

@@ -12,9 +12,21 @@ import jwt from 'jsonwebtoken'
 const mockQuery = vi.mocked(query)
 const mockVerifyTurnstileToken = vi.mocked(verifyTurnstileToken)
 
-const mockUser: User = { id: 5, email: 'user@example.com', firstName: 'Jane', lastName: 'Doe', role: 'user' }
+const mockUser: UserProperties = {
+	id: 5,
+	email: 'user@example.com',
+	firstName: 'Jane',
+	lastName: 'Doe',
+	role: 'student'
+}
 
-function makeEvent(body: Record<string, unknown> = { email: 'user@example.com', code: '123456', turnstileToken: 'tok' }) {
+function makeEvent(
+	body: Record<string, unknown> = {
+		email: 'user@example.com',
+		code: '123456',
+		turnstileToken: 'tok'
+	}
+) {
 	return {
 		request: {
 			json: vi.fn().mockResolvedValue(body),
@@ -28,9 +40,9 @@ function makeEvent(body: Record<string, unknown> = { email: 'user@example.com',
 /** Set up the three DB calls needed for a successful MFA verification. */
 function setupSuccessQueries() {
 	mockQuery
-		.mockResolvedValueOnce({ rows: [{ userId: mockUser.id }] } as any)     // verify_mfa_code
-		.mockResolvedValueOnce({ rows: [{ sessionId: 'sess-xyz' }] } as any)   // create_session
-		.mockResolvedValueOnce({ rows: [{ get_session: mockUser }] } as any)    // get_session
+		.mockResolvedValueOnce({ rows: [{ userId: mockUser.id }] } as any) // verify_mfa_code
+		.mockResolvedValueOnce({ rows: [{ sessionId: 'sess-xyz' }] } as any) // create_session
+		.mockResolvedValueOnce({ rows: [{ get_session: mockUser }] } as any) // get_session
 }
 
 beforeEach(() => {
@@ -56,12 +68,16 @@ describe('POST /auth/mfa', () => {
 
 		await POST(event)
 
-		expect(event.cookies.set).toHaveBeenCalledWith('session', 'sess-xyz', expect.objectContaining({
-			httpOnly: true,
-			sameSite: 'lax',
-			secure: true,
-			path: '/'
-		}))
+		expect(event.cookies.set).toHaveBeenCalledWith(
+			'session',
+			'sess-xyz',
+			expect.objectContaining({
+				httpOnly: true,
+				sameSite: 'lax',
+				secure: true,
+				path: '/'
+			})
+		)
 	})
 
 	it('sets an mfa_trusted cookie on success', async () => {
@@ -70,13 +86,17 @@ describe('POST /auth/mfa', () => {
 
 		await POST(event)
 
-		expect(event.cookies.set).toHaveBeenCalledWith('mfa_trusted', expect.any(String), expect.objectContaining({
-			httpOnly: true,
-			sameSite: 'lax',
-			secure: true,
-			path: '/',
-			maxAge: 30 * 24 * 60 * 60
-		}))
+		expect(event.cookies.set).toHaveBeenCalledWith(
+			'mfa_trusted',
+			expect.any(String),
+			expect.objectContaining({
+				httpOnly: true,
+				sameSite: 'lax',
+				secure: true,
+				path: '/',
+				maxAge: 30 * 24 * 60 * 60
+			})
+		)
 	})
 
 	it('mfa_trusted cookie is a valid JWT with correct payload', async () => {
@@ -85,7 +105,9 @@ describe('POST /auth/mfa', () => {
 
 		await POST(event)
 
-		const [, trustedToken] = vi.mocked(event.cookies.set).mock.calls.find(([name]) => name === 'mfa_trusted')!
+		const [, trustedToken] = vi
+			.mocked(event.cookies.set)
+			.mock.calls.find(([name]) => name === 'mfa_trusted')!
 		const payload = jwt.verify(trustedToken as string, 'test-secret') as Record<string, unknown>
 		expect(payload.userId).toBe(mockUser.id)
 		expect(payload.purpose).toBe('mfa-trusted')
@@ -96,10 +118,10 @@ describe('POST /auth/mfa', () => {
 
 		await POST(makeEvent({ email: 'User@Example.COM', code: '123456', turnstileToken: 'tok' }))
 
-		expect(mockQuery).toHaveBeenCalledWith(
-			expect.stringContaining('verify_mfa_code'),
-			['user@example.com', '123456']
-		)
+		expect(mockQuery).toHaveBeenCalledWith(expect.stringContaining('verify_mfa_code'), [
+			'user@example.com',
+			'123456'
+		])
 	})
 
 	it('throws 401 when the MFA code is invalid or expired', async () => {
@@ -109,9 +131,9 @@ describe('POST /auth/mfa', () => {
 	})
 
 	it('throws 400 when email is missing', async () => {
-		await expect(
-			POST(makeEvent({ code: '123456', turnstileToken: 'tok' }))
-		).rejects.toMatchObject({ status: 400 })
+		await expect(POST(makeEvent({ code: '123456', turnstileToken: 'tok' }))).rejects.toMatchObject({
+			status: 400
+		})
 	})
 
 	it('throws 400 when code is missing', async () => {

package/src/routes/auth/register/+server.ts

@@ -59,7 +59,7 @@ export const POST: RequestHandler = async event => {
 		error(503, 'Could not communicate with database.')
 	}
 
-	const { authenticationResult }: { authenticationResult: AuthenticationResult } = result.rows[0]
+	const { authenticationResult } = result.rows[0] as { authenticationResult: AuthenticationResult }
 
 	if (!authenticationResult.user)
 		error(authenticationResult.statusCode, authenticationResult.status)

package/src/routes/auth/register/{+server.unit.test.ts → server.unit.test.ts}

@@ -15,7 +15,13 @@ const mockQuery = vi.mocked(query)
 const mockSendVerificationEmail = vi.mocked(sendVerificationEmail)
 const mockVerifyTurnstileToken = vi.mocked(verifyTurnstileToken)
 
-const mockUser: User = { id: 9, email: 'new@example.com', firstName: 'Jane', lastName: 'Doe', role: 'user' }
+const mockUser: UserProperties = {
+	id: 9,
+	email: 'new@example.com',
+	firstName: 'Jane',
+	lastName: 'Doe',
+	role: 'student'
+}
 
 const successResult: AuthenticationResult = {
 	user: mockUser,
@@ -46,7 +52,7 @@ function makeEvent(body: Record<string, unknown> = validBody) {
 function setupSuccessQueries() {
 	mockQuery
 		.mockResolvedValueOnce({ rows: [{ authenticationResult: successResult }] } as any) // register
-		.mockResolvedValueOnce({ rows: [] } as any)                                         // delete_session
+		.mockResolvedValueOnce({ rows: [] } as any) // delete_session
 }
 
 beforeEach(() => {
@@ -92,10 +98,9 @@ describe('POST /auth/register', () => {
 
 		await POST(makeEvent())
 
-		expect(mockQuery).toHaveBeenCalledWith(
-			expect.stringContaining('delete_session'),
-			[successResult.sessionId]
-		)
+		expect(mockQuery).toHaveBeenCalledWith(expect.stringContaining('delete_session'), [
+			successResult.sessionId
+		])
 	})
 
 	it('calls the register SQL function with the full body', async () => {
@@ -103,10 +108,9 @@ describe('POST /auth/register', () => {
 
 		await POST(makeEvent())
 
-		expect(mockQuery).toHaveBeenCalledWith(
-			expect.stringContaining('register'),
-			[JSON.stringify(validBody)]
-		)
+		expect(mockQuery).toHaveBeenCalledWith(expect.stringContaining('register'), [
+			JSON.stringify(validBody)
+		])
 	})
 
 	it('still sends the verification email when delete_session fails', async () => {
@@ -143,19 +147,27 @@ describe('POST /auth/register — validation', () => {
 	})
 
 	it('throws 400 when password has no uppercase letter', async () => {
-		await expect(POST(makeEvent({ ...validBody, password: 'password1!' }))).rejects.toMatchObject({ status: 400 })
+		await expect(POST(makeEvent({ ...validBody, password: 'password1!' }))).rejects.toMatchObject({
+			status: 400
+		})
 	})
 
 	it('throws 400 when password has no number', async () => {
-		await expect(POST(makeEvent({ ...validBody, password: 'Password!' }))).rejects.toMatchObject({ status: 400 })
+		await expect(POST(makeEvent({ ...validBody, password: 'Password!' }))).rejects.toMatchObject({
+			status: 400
+		})
 	})
 
 	it('throws 400 when password has no special character', async () => {
-		await expect(POST(makeEvent({ ...validBody, password: 'Password1' }))).rejects.toMatchObject({ status: 400 })
+		await expect(POST(makeEvent({ ...validBody, password: 'Password1' }))).rejects.toMatchObject({
+			status: 400
+		})
 	})
 
 	it('throws 400 when password is too short', async () => {
-		await expect(POST(makeEvent({ ...validBody, password: 'P1!' }))).rejects.toMatchObject({ status: 400 })
+		await expect(POST(makeEvent({ ...validBody, password: 'P1!' }))).rejects.toMatchObject({
+			status: 400
+		})
 	})
 
 	it('throws 400 when Turnstile verification fails', async () => {
@@ -175,7 +187,12 @@ describe('POST /auth/register — validation', () => {
 	})
 
 	it('throws the DB status code on registration failure (e.g. duplicate email)', async () => {
-		const dupResult: AuthenticationResult = { user: null, sessionId: '', status: 'Email already registered.', statusCode: 409 }
+		const dupResult: AuthenticationResult = {
+			user: null,
+			sessionId: '',
+			status: 'Email already registered.',
+			statusCode: 409
+		}
 		mockQuery.mockResolvedValueOnce({ rows: [{ authenticationResult: dupResult }] } as any)
 		await expect(POST(makeEvent())).rejects.toMatchObject({ status: 409 })
 	})

package/src/routes/auth/reset/+server.ts

@@ -50,8 +50,8 @@ export const PUT: RequestHandler = async event => {
 		return json({
 			message: 'Password successfully reset.'
 		})
-	} catch (error) {
-		// Technically, I should check error.message to make sure it's not a DB issue
+	} catch {
+		// Technically, we should check if it's a DB issue vs an invalid/expired token
 		return json(
 			{
 				message: 'Password reset token expired.'

package/src/routes/auth/reset/{+server.unit.test.ts → server.unit.test.ts}

@@ -13,7 +13,9 @@ const mockQuery = vi.mocked(query)
 const mockVerifyTurnstileToken = vi.mocked(verifyTurnstileToken)
 
 function makeResetToken(overrides: Record<string, unknown> = {}) {
-	return jwt.sign({ subject: 42, purpose: 'reset-password', ...overrides }, 'test-secret', { expiresIn: '30m' })
+	return jwt.sign({ subject: 42, purpose: 'reset-password', ...overrides }, 'test-secret', {
+		expiresIn: '30m'
+	})
 }
 
 function makeEvent(body: Record<string, unknown> = {}) {
@@ -58,10 +60,10 @@ describe('PUT /auth/reset', () => {
 
 		await PUT(makeEvent({ password: 'NewPassword1!' }))
 
-		expect(mockQuery).toHaveBeenCalledWith(
-			expect.stringContaining('reset_password'),
-			[42, 'NewPassword1!']
-		)
+		expect(mockQuery).toHaveBeenCalledWith(expect.stringContaining('reset_password'), [
+			42,
+			'NewPassword1!'
+		])
 	})
 
 	it('invalidates existing sessions after a successful reset', async () => {
@@ -69,16 +71,11 @@ describe('PUT /auth/reset', () => {
 
 		await PUT(makeEvent())
 
-		expect(mockQuery).toHaveBeenCalledWith(
-			expect.stringContaining('delete_session'),
-			[42]
-		)
+		expect(mockQuery).toHaveBeenCalledWith(expect.stringContaining('delete_session'), [42])
 	})
 
 	it('still returns 200 when session invalidation fails', async () => {
-		mockQuery
-			.mockResolvedValueOnce({ rows: [] } as any)
-			.mockRejectedValueOnce(new Error('db down'))
+		mockQuery.mockResolvedValueOnce({ rows: [] } as any).mockRejectedValueOnce(new Error('db down'))
 
 		const res = await PUT(makeEvent())
 
@@ -86,7 +83,9 @@ describe('PUT /auth/reset', () => {
 	})
 
 	it('returns 403 when the token is expired', async () => {
-		const expiredToken = jwt.sign({ subject: 42, purpose: 'reset-password' }, 'test-secret', { expiresIn: -1 })
+		const expiredToken = jwt.sign({ subject: 42, purpose: 'reset-password' }, 'test-secret', {
+			expiresIn: -1
+		})
 
 		const res = await PUT(makeEvent({ token: expiredToken }))
 

package/src/routes/auth/verify/[token]/{+server.unit.test.ts → server.unit.test.ts}

@@ -10,7 +10,9 @@ import jwt from 'jsonwebtoken'
 const mockQuery = vi.mocked(query)
 
 function makeVerifyEmailToken(overrides: Record<string, unknown> = {}) {
-	return jwt.sign({ subject: '7', purpose: 'verify-email', ...overrides }, 'test-secret', { expiresIn: '24h' })
+	return jwt.sign({ subject: '7', purpose: 'verify-email', ...overrides }, 'test-secret', {
+		expiresIn: '24h'
+	})
 }
 
 function makeEvent(token: string) {
@@ -38,20 +40,24 @@ describe('GET /auth/verify/[token]', () => {
 		mockQuery.mockResolvedValue({ rows: [{ verify_email_and_create_session: 'sess-abc' }] } as any)
 		const event = makeEvent(makeVerifyEmailToken())
 
-		await GET(event).catch(() => {})
-
-		expect(event.cookies.set).toHaveBeenCalledWith('session', 'sess-abc', expect.objectContaining({
-			httpOnly: true,
-			sameSite: 'lax',
-			secure: true,
-			path: '/'
-		}))
+		await Promise.resolve(GET(event)).catch(() => {})
+
+		expect(event.cookies.set).toHaveBeenCalledWith(
+			'session',
+			'sess-abc',
+			expect.objectContaining({
+				httpOnly: true,
+				sameSite: 'lax',
+				secure: true,
+				path: '/'
+			})
+		)
 	})
 
 	it('calls verify_email_and_create_session with the userId from the token', async () => {
 		mockQuery.mockResolvedValue({ rows: [{ verify_email_and_create_session: 'sess-abc' }] } as any)
 
-		await GET(makeEvent(makeVerifyEmailToken())).catch(() => {})
+		await Promise.resolve(GET(makeEvent(makeVerifyEmailToken()))).catch(() => {})
 
 		expect(mockQuery).toHaveBeenCalledWith(
 			expect.stringContaining('verify_email_and_create_session'),
@@ -60,7 +66,9 @@ describe('GET /auth/verify/[token]', () => {
 	})
 
 	it('redirects to /login?error=invalid-token when the token is expired', async () => {
-		const expiredToken = jwt.sign({ subject: '7', purpose: 'verify-email' }, 'test-secret', { expiresIn: -1 })
+		const expiredToken = jwt.sign({ subject: '7', purpose: 'verify-email' }, 'test-secret', {
+			expiresIn: -1
+		})
 
 		await expect(GET(makeEvent(expiredToken))).rejects.toMatchObject({
 			location: '/login?error=invalid-token',
@@ -117,7 +125,7 @@ describe('GET /auth/verify/[token]', () => {
 		mockQuery.mockRejectedValue(new Error('db down'))
 		const event = makeEvent(makeVerifyEmailToken())
 
-		await GET(event).catch(() => {})
+		await Promise.resolve(GET(event)).catch(() => {})
 
 		expect(event.cookies.set).not.toHaveBeenCalled()
 	})

package/src/routes/register/+page.svelte

@@ -101,7 +101,7 @@
 		} catch (err) {
 			console.error('Register error', err)
 			if (err instanceof Error) {
-				throw new Error(err.message)
+				throw new Error(err.message, { cause: err })
 			}
 		} finally {
 			loading = false

package/src/service-worker.unit.test.ts

@@ -22,15 +22,17 @@ const mockCaches = {
 	delete: vi.fn()
 }
 
-const swHandlers: Record<string, Function> = {}
+const swHandlers: Record<string, (event: any) => void> = {}
 
 beforeAll(async () => {
 	vi.stubGlobal('caches', mockCaches)
 
 	// Spy on addEventListener to capture the handlers the SW registers
-	vi.spyOn(window, 'addEventListener').mockImplementation((type: string, handler: any) => {
-		swHandlers[type] = handler
-	})
+	vi.spyOn(window, 'addEventListener').mockImplementation(
+		(type: string, handler: EventListener) => {
+			swHandlers[type] = handler
+		}
+	)
 
 	// Reset module registry so the SW file re-evaluates and re-registers its listeners
 	vi.resetModules()