Files
2026-07-13 13:39:12 +08:00

358 lines
16 KiB
TypeScript

/**
* tests/unit/quota-groups-route.test.ts
*
* Task B7 — source-level assertions for the quota groups REST routes.
*
* Uses the same source-scan technique as:
* tests/unit/budget-route-auth.test.ts
* tests/unit/quota-pool-log-route.test.ts
*
* This allows the test to run with the Node.js native test runner without
* a Next.js / DOM setup, while providing strong structural coverage of:
* - Auth guard pattern (requireManagementAuth, 401 without auth)
* - Error sanitization (buildErrorBody, no raw err.stack)
* - Response shapes ({ groups }, { group })
* - POST Zod validation
* - PATCH rename + combo re-sync wiring
* - DELETE 409 logic for protected/in-use groups
* - force-dynamic export
*/
import test from "node:test";
import assert from "node:assert/strict";
import { readFileSync } from "node:fs";
import { join, dirname } from "node:path";
import { fileURLToPath } from "node:url";
const ROOT = join(dirname(fileURLToPath(import.meta.url)), "..", "..");
const LIST_ROUTE_PATH = join(ROOT, "src/app/api/quota/groups/route.ts");
const ID_ROUTE_PATH = join(ROOT, "src/app/api/quota/groups/[id]/route.ts");
const SCHEMAS_PATH = join(ROOT, "src/shared/schemas/quota.ts");
const listSrc = readFileSync(LIST_ROUTE_PATH, "utf8");
const idSrc = readFileSync(ID_ROUTE_PATH, "utf8");
const schemasSrc = readFileSync(SCHEMAS_PATH, "utf8");
// ── Both routes: auth guard ───────────────────────────────────────────────────
test("groups/route.ts: imports requireManagementAuth", () => {
assert.ok(
listSrc.includes("requireManagementAuth"),
"route must import and call requireManagementAuth",
);
});
test("groups/route.ts: GET calls requireManagementAuth before data access", () => {
const getIdx = listSrc.indexOf("export async function GET");
assert.ok(getIdx >= 0, "GET handler must exist");
const postIdx = listSrc.indexOf("export async function POST");
const getBody = postIdx >= 0 ? listSrc.slice(getIdx, postIdx) : listSrc.slice(getIdx);
const authIdx = getBody.indexOf("requireManagementAuth(request)");
const dataIdx = getBody.indexOf("listGroups(");
assert.ok(authIdx >= 0, "requireManagementAuth call must be in GET handler");
assert.ok(dataIdx >= 0, "listGroups call must be in GET handler");
assert.ok(authIdx < dataIdx, "auth check must come before listGroups call");
});
test("groups/route.ts: GET returns early when authError is truthy", () => {
const getIdx = listSrc.indexOf("export async function GET");
const postIdx = listSrc.indexOf("export async function POST");
const getBody = postIdx >= 0 ? listSrc.slice(getIdx, postIdx) : listSrc.slice(getIdx);
assert.ok(
getBody.includes("if (authError) return authError"),
"GET must return authError immediately — 401 without auth",
);
});
test("groups/route.ts: POST calls requireManagementAuth before data access", () => {
const postIdx = listSrc.indexOf("export async function POST");
assert.ok(postIdx >= 0, "POST handler must exist");
const postBody = listSrc.slice(postIdx);
const authIdx = postBody.indexOf("requireManagementAuth(request)");
const jsonIdx = postBody.indexOf("request.json()");
assert.ok(authIdx >= 0, "requireManagementAuth call must be in POST handler");
assert.ok(jsonIdx >= 0, "request.json() must be in POST handler");
assert.ok(authIdx < jsonIdx, "auth check must come before request.json()");
});
test("groups/route.ts: POST returns early when authError is truthy", () => {
const postIdx = listSrc.indexOf("export async function POST");
const postBody = listSrc.slice(postIdx);
assert.ok(
postBody.includes("if (authError) return authError"),
"POST must return authError immediately — 401 without auth",
);
});
test("groups/[id]/route.ts: PATCH calls requireManagementAuth before data access", () => {
const patchIdx = idSrc.indexOf("export async function PATCH");
assert.ok(patchIdx >= 0, "PATCH handler must exist");
const deleteIdx = idSrc.indexOf("export async function DELETE");
const patchBody = deleteIdx >= 0 ? idSrc.slice(patchIdx, deleteIdx) : idSrc.slice(patchIdx);
const authIdx = patchBody.indexOf("requireManagementAuth(request)");
const jsonIdx = patchBody.indexOf("request.json()");
assert.ok(authIdx >= 0, "requireManagementAuth must be in PATCH handler");
assert.ok(jsonIdx >= 0, "request.json() must be in PATCH handler");
assert.ok(authIdx < jsonIdx, "auth check must come before request.json()");
});
test("groups/[id]/route.ts: PATCH returns early when authError is truthy", () => {
const patchIdx = idSrc.indexOf("export async function PATCH");
const deleteIdx = idSrc.indexOf("export async function DELETE");
const patchBody = deleteIdx >= 0 ? idSrc.slice(patchIdx, deleteIdx) : idSrc.slice(patchIdx);
assert.ok(patchBody.includes("if (authError) return authError"), "PATCH must return authError");
});
test("groups/[id]/route.ts: DELETE calls requireManagementAuth before data access", () => {
const deleteIdx = idSrc.indexOf("export async function DELETE");
assert.ok(deleteIdx >= 0, "DELETE handler must exist");
const deleteBody = idSrc.slice(deleteIdx);
const authIdx = deleteBody.indexOf("requireManagementAuth(request)");
const dataIdx = deleteBody.indexOf("deleteGroup(");
assert.ok(authIdx >= 0, "requireManagementAuth must be in DELETE handler");
assert.ok(dataIdx >= 0, "deleteGroup call must be in DELETE handler");
assert.ok(authIdx < dataIdx, "auth check must come before deleteGroup call");
});
test("groups/[id]/route.ts: DELETE returns early when authError is truthy", () => {
const deleteIdx = idSrc.indexOf("export async function DELETE");
const deleteBody = idSrc.slice(deleteIdx);
assert.ok(
deleteBody.includes("if (authError) return authError"),
"DELETE must return authError — 401 without auth",
);
});
// ── Error sanitization ────────────────────────────────────────────────────────
test("groups/route.ts: uses buildErrorBody from @omniroute/open-sse/utils/error", () => {
assert.ok(listSrc.includes("buildErrorBody"), "route must use buildErrorBody — Hard Rule #12");
assert.ok(
listSrc.includes("@omniroute/open-sse/utils/error"),
"route must import buildErrorBody from @omniroute/open-sse/utils/error",
);
});
test("groups/route.ts: does NOT put raw err.stack in response (no stack leak)", () => {
assert.ok(!listSrc.includes("err.stack"), "route must not leak err.stack in response");
});
test("groups/[id]/route.ts: uses buildErrorBody from @omniroute/open-sse/utils/error", () => {
assert.ok(idSrc.includes("buildErrorBody"), "route must use buildErrorBody — Hard Rule #12");
assert.ok(
idSrc.includes("@omniroute/open-sse/utils/error"),
"route must import buildErrorBody from @omniroute/open-sse/utils/error",
);
});
test("groups/[id]/route.ts: does NOT put raw err.stack in response (no stack leak)", () => {
assert.ok(!idSrc.includes("err.stack"), "route must not leak err.stack in response");
});
// ── Response shapes ───────────────────────────────────────────────────────────
test("groups/route.ts: GET returns { groups } shape", () => {
assert.ok(
listSrc.includes("{ groups }") || listSrc.includes("{groups}") || listSrc.includes("groups:"),
"GET must return { groups } in the response body",
);
});
test("groups/route.ts: POST returns { group } shape with status 201", () => {
const postIdx = listSrc.indexOf("export async function POST");
const postBody = listSrc.slice(postIdx);
assert.ok(
postBody.includes("{ group }") || postBody.includes("{group}") || postBody.includes("group:"),
"POST must return { group } in the response body",
);
assert.ok(postBody.includes("201"), "POST must return HTTP 201 on success");
});
test("groups/[id]/route.ts: PATCH returns { group } shape", () => {
const patchIdx = idSrc.indexOf("export async function PATCH");
const deleteIdx = idSrc.indexOf("export async function DELETE");
const patchBody = deleteIdx >= 0 ? idSrc.slice(patchIdx, deleteIdx) : idSrc.slice(patchIdx);
assert.ok(
patchBody.includes("{ group }") || patchBody.includes("{group}") || patchBody.includes("group:"),
"PATCH must return { group } in the response body",
);
});
// ── POST: Zod validation ──────────────────────────────────────────────────────
test("groups/route.ts: POST uses GroupCreateSchema for Zod validation", () => {
assert.ok(
listSrc.includes("GroupCreateSchema"),
"route must import and use GroupCreateSchema for POST body validation",
);
});
test("groups/route.ts: POST returns 400 on invalid body", () => {
const postIdx = listSrc.indexOf("export async function POST");
const postBody = listSrc.slice(postIdx);
assert.ok(postBody.includes("400"), "POST must return 400 for invalid body");
assert.ok(
postBody.includes("safeParse") || postBody.includes(".parse("),
"POST must use safeParse or parse for validation",
);
});
// ── PATCH: Zod validation + rename + combo re-sync ───────────────────────────
test("groups/[id]/route.ts: PATCH uses GroupRenameSchema for Zod validation", () => {
assert.ok(
idSrc.includes("GroupRenameSchema"),
"PATCH route must import and use GroupRenameSchema",
);
});
test("groups/[id]/route.ts: PATCH calls renameGroup", () => {
const patchIdx = idSrc.indexOf("export async function PATCH");
const deleteIdx = idSrc.indexOf("export async function DELETE");
const patchBody = deleteIdx >= 0 ? idSrc.slice(patchIdx, deleteIdx) : idSrc.slice(patchIdx);
assert.ok(patchBody.includes("renameGroup("), "PATCH must call renameGroup");
});
test("groups/[id]/route.ts: PATCH re-syncs combos via syncQuotaCombos (dynamic import)", () => {
const patchIdx = idSrc.indexOf("export async function PATCH");
const deleteIdx = idSrc.indexOf("export async function DELETE");
const patchBody = deleteIdx >= 0 ? idSrc.slice(patchIdx, deleteIdx) : idSrc.slice(patchIdx);
assert.ok(
patchBody.includes("syncQuotaCombos"),
"PATCH must call syncQuotaCombos to re-sync combos after rename",
);
});
test("groups/[id]/route.ts: PATCH fetches pools via getPoolsByGroup for combo re-sync", () => {
const patchIdx = idSrc.indexOf("export async function PATCH");
const deleteIdx = idSrc.indexOf("export async function DELETE");
const patchBody = deleteIdx >= 0 ? idSrc.slice(patchIdx, deleteIdx) : idSrc.slice(patchIdx);
assert.ok(
patchBody.includes("getPoolsByGroup("),
"PATCH must call getPoolsByGroup to enumerate pools for combo re-sync",
);
});
test("groups/[id]/route.ts: PATCH returns 404 when renameGroup returns false", () => {
const patchIdx = idSrc.indexOf("export async function PATCH");
const deleteIdx = idSrc.indexOf("export async function DELETE");
const patchBody = deleteIdx >= 0 ? idSrc.slice(patchIdx, deleteIdx) : idSrc.slice(patchIdx);
assert.ok(patchBody.includes("404"), "PATCH must return 404 when group is not found");
});
// ── DELETE: 409 on protected / in-use groups ──────────────────────────────────
test("groups/[id]/route.ts: DELETE maps deleteGroup throws to 409 Conflict", () => {
const deleteIdx = idSrc.indexOf("export async function DELETE");
const deleteBody = idSrc.slice(deleteIdx);
assert.ok(
deleteBody.includes("409"),
"DELETE must return 409 when deleteGroup throws (protected group or pools exist)",
);
});
test("groups/[id]/route.ts: DELETE catches deleteGroup throw and uses buildErrorBody for 409", () => {
const deleteIdx = idSrc.indexOf("export async function DELETE");
const deleteBody = idSrc.slice(deleteIdx);
// The 409 must go through buildErrorBody — not a raw Error message
assert.ok(
deleteBody.includes("buildErrorBody(409"),
"DELETE 409 response must use buildErrorBody(409, ...) — Hard Rule #12",
);
});
test("groups/[id]/route.ts: DELETE returns 204 on successful delete", () => {
const deleteIdx = idSrc.indexOf("export async function DELETE");
const deleteBody = idSrc.slice(deleteIdx);
assert.ok(deleteBody.includes("204"), "DELETE must return 204 on success");
});
test("groups/[id]/route.ts: DELETE returns 404 when group not found", () => {
const deleteIdx = idSrc.indexOf("export async function DELETE");
const deleteBody = idSrc.slice(deleteIdx);
assert.ok(deleteBody.includes("404"), "DELETE must return 404 when group does not exist");
});
// ── Params: Next 16 async params pattern ─────────────────────────────────────
test("groups/[id]/route.ts: reads id via await params (Next 16 pattern)", () => {
assert.ok(
idSrc.includes("await params"),
"route must use await params — Next 16 async params pattern",
);
});
test("groups/[id]/route.ts: RouteParams typed as Promise<{ id: string }>", () => {
assert.ok(
idSrc.includes("Promise<") && idSrc.includes("id: string"),
"params type must be Promise<{ id: string }> — matching pools/[id] pattern",
);
});
// ── force-dynamic ─────────────────────────────────────────────────────────────
test("groups/route.ts: has dynamic = 'force-dynamic' export", () => {
assert.ok(
listSrc.includes('dynamic = "force-dynamic"') || listSrc.includes("dynamic = 'force-dynamic'"),
"route must export dynamic = 'force-dynamic'",
);
});
test("groups/[id]/route.ts: has dynamic = 'force-dynamic' export", () => {
assert.ok(
idSrc.includes('dynamic = "force-dynamic"') || idSrc.includes("dynamic = 'force-dynamic'"),
"route must export dynamic = 'force-dynamic'",
);
});
// ── Schemas: GroupCreateSchema and GroupRenameSchema ─────────────────────────
test("shared/schemas/quota.ts: exports GroupCreateSchema", () => {
assert.ok(
schemasSrc.includes("export const GroupCreateSchema"),
"quota.ts must export GroupCreateSchema",
);
});
test("shared/schemas/quota.ts: GroupCreateSchema requires name (min 1)", () => {
assert.ok(
schemasSrc.includes("GroupCreateSchema") && schemasSrc.includes("min(1)"),
"GroupCreateSchema must enforce min(1) on name",
);
});
test("shared/schemas/quota.ts: exports GroupRenameSchema", () => {
assert.ok(
schemasSrc.includes("export const GroupRenameSchema"),
"quota.ts must export GroupRenameSchema",
);
});
// ── Import correctness ────────────────────────────────────────────────────────
test("groups/route.ts: imports listGroups and createGroup from @/lib/localDb", () => {
assert.ok(
listSrc.includes("listGroups") && listSrc.includes("createGroup"),
"route must import listGroups and createGroup",
);
});
test("groups/[id]/route.ts: imports renameGroup, deleteGroup, getGroup, getPoolsByGroup", () => {
assert.ok(idSrc.includes("renameGroup"), "route must import renameGroup");
assert.ok(idSrc.includes("deleteGroup"), "route must import deleteGroup");
assert.ok(idSrc.includes("getGroup"), "route must import getGroup");
assert.ok(idSrc.includes("getPoolsByGroup"), "route must import getPoolsByGroup");
});
// ── GroupDemo: listGroups result includes group-demo ──────────────────────────
test("groups/route.ts: listGroups() is called in GET (will include GroupDemo in real DB)", () => {
// Source-scan: the call is present; the seed group-demo row is guaranteed
// by the migration, so a real GET would always include it.
assert.ok(
listSrc.includes("listGroups()"),
"GET must call listGroups() — which includes the seeded GroupDemo row",
);
});