favoritter

olemd/favoritter

Fork 0

Commit graph

Author	SHA1	Message	Date
Ole-Morten Duesund	a8f3aa6f7e	test: add comprehensive test suite (44 → 169 tests) and v1.1 plan Add 125 new test functions across 10 new test files, covering: - CSRF middleware (8 tests): double-submit cookie validation - Auth middleware (12 tests): SessionLoader, RequireAdmin, context helpers - API handlers (28 tests): auth, faves CRUD, tags, users, export/import - Web handlers (41 tests): signup, login, password reset, fave CRUD, admin panel, feeds, import/export, profiles, settings - Config (8 tests): env parsing, defaults, trusted proxies, normalization - Database (6 tests): migrations, PRAGMAs, idempotency, seeding - Image processing (10 tests): JPEG/PNG, resize, EXIF strip, path traversal - Render (6 tests): page/error/partial rendering, template functions - Settings store (3 tests): CRUD operations - Regression tests for display name fallback and CSP-safe autocomplete Also adds CSRF middleware to testServer chain for end-to-end CSRF verification, TESTPLAN.md documenting coverage, and PLANS-v1.1.md with implementation plans for notes+OG, PWA, editing UX, and admin. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 00:18:01 +02:00
Ole-Morten Duesund	3a3b526a95	test: add comprehensive test suite (44 tests across 3 packages) Store tests (21 tests): - Session: create, validate, delete, delete-all, expiry - Signup requests: create, duplicate, list pending, approve (creates user with must-reset), reject, double-approve/reject - Existing: user CRUD, auth, fave CRUD, tags, pagination Middleware tests (9 tests): - Real IP extraction from trusted/untrusted proxies - Base path stripping (with prefix, empty prefix) - Rate limiter (per-IP, exhaustion, different IPs) - Panic recovery (returns 500) - Security headers (CSP, X-Frame-Options, etc.) - RequireLogin redirect - MustResetPasswordGuard (static path passthrough) Handler integration tests (14 tests): - Health endpoint - Login page rendering, successful login, wrong password - Fave list requires auth, works when authenticated - Private fave hidden from other users, visible to owner - Admin panel requires admin role, works for admin - Tag search endpoint - Global Atom feed - Public profile with display name - Limited profile hides bio Also fixes template bugs: profile.html and fave_detail.html used $.IsOwner which fails inside {{with}} blocks ($ = root PageData, not .Data map). Fixed with $d variable capture pattern. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-29 16:47:32 +02:00

Author

SHA1

Message

Date

Ole-Morten Duesund

a8f3aa6f7e

test: add comprehensive test suite (44 → 169 tests) and v1.1 plan

Add 125 new test functions across 10 new test files, covering:
- CSRF middleware (8 tests): double-submit cookie validation
- Auth middleware (12 tests): SessionLoader, RequireAdmin, context helpers
- API handlers (28 tests): auth, faves CRUD, tags, users, export/import
- Web handlers (41 tests): signup, login, password reset, fave CRUD,
  admin panel, feeds, import/export, profiles, settings
- Config (8 tests): env parsing, defaults, trusted proxies, normalization
- Database (6 tests): migrations, PRAGMAs, idempotency, seeding
- Image processing (10 tests): JPEG/PNG, resize, EXIF strip, path traversal
- Render (6 tests): page/error/partial rendering, template functions
- Settings store (3 tests): CRUD operations
- Regression tests for display name fallback and CSP-safe autocomplete

Also adds CSRF middleware to testServer chain for end-to-end CSRF
verification, TESTPLAN.md documenting coverage, and PLANS-v1.1.md
with implementation plans for notes+OG, PWA, editing UX, and admin.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 00:18:01 +02:00

Ole-Morten Duesund

3a3b526a95

test: add comprehensive test suite (44 tests across 3 packages)

Store tests (21 tests):
- Session: create, validate, delete, delete-all, expiry
- Signup requests: create, duplicate, list pending, approve
  (creates user with must-reset), reject, double-approve/reject
- Existing: user CRUD, auth, fave CRUD, tags, pagination

Middleware tests (9 tests):
- Real IP extraction from trusted/untrusted proxies
- Base path stripping (with prefix, empty prefix)
- Rate limiter (per-IP, exhaustion, different IPs)
- Panic recovery (returns 500)
- Security headers (CSP, X-Frame-Options, etc.)
- RequireLogin redirect
- MustResetPasswordGuard (static path passthrough)

Handler integration tests (14 tests):
- Health endpoint
- Login page rendering, successful login, wrong password
- Fave list requires auth, works when authenticated
- Private fave hidden from other users, visible to owner
- Admin panel requires admin role, works for admin
- Tag search endpoint
- Global Atom feed
- Public profile with display name
- Limited profile hides bio

Also fixes template bugs: profile.html and fave_detail.html used
$.IsOwner which fails inside {{with}} blocks ($ = root PageData,
not .Data map). Fixed with $d variable capture pattern.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-29 16:47:32 +02:00

2 commits