test(#411): add missing test coverage — getAccessToken, isAdmin, null cases, getClientIp

- Add getAccessToken tests (5): null session, valid token, expired token, buffer window, undefined token - Add isAdmin tests (4): null session, true, false, undefined - Add getUserById/getUserByEmail null-return tests (2) - Add getClientIp tests via handleAuth (4): single IP, comma-separated, array, fallback - Fix pre-existing controller spec failure by adding better-auth vi.mock calls Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 12:37:11 -06:00
parent 9696e45265
commit 110e181272
3 changed files with 295 additions and 1 deletions
--- a/apps/api/src/auth/auth.controller.spec.ts
+++ b/apps/api/src/auth/auth.controller.spec.ts
@@ -1,4 +1,25 @@
 import { describe, it, expect, beforeEach, vi } from "vitest";
+
+// Mock better-auth modules before importing AuthService (pulled in by AuthController)
+vi.mock("better-auth/node", () => ({
+  toNodeHandler: vi.fn().mockReturnValue(vi.fn()),
+}));
+
+vi.mock("better-auth", () => ({
+  betterAuth: vi.fn().mockReturnValue({
+    handler: vi.fn(),
+    api: { getSession: vi.fn() },
+  }),
+}));
+
+vi.mock("better-auth/adapters/prisma", () => ({
+  prismaAdapter: vi.fn().mockReturnValue({}),
+}));
+
+vi.mock("better-auth/plugins", () => ({
+  genericOAuth: vi.fn().mockReturnValue({ id: "generic-oauth" }),
+}));
+
 import { Test, TestingModule } from "@nestjs/testing";
 import { HttpException, HttpStatus } from "@nestjs/common";
 import type { AuthUser, AuthSession } from "@mosaic/shared";
@@ -337,4 +358,99 @@ describe("AuthController", () => {
      });
    });
  });
+
+  describe("getClientIp (via handleAuth)", () => {
+    it("should extract IP from X-Forwarded-For with single IP", async () => {
+      const mockRequest = {
+        method: "GET",
+        url: "/auth/callback",
+        headers: { "x-forwarded-for": "203.0.113.50" },
+        ip: "127.0.0.1",
+        socket: { remoteAddress: "127.0.0.1" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      // Spy on the logger to verify the extracted IP
+      const debugSpy = vi.spyOn(controller["logger"], "debug");
+
+      await controller.handleAuth(mockRequest, mockResponse);
+
+      expect(debugSpy).toHaveBeenCalledWith(
+        expect.stringContaining("203.0.113.50"),
+      );
+    });
+
+    it("should extract first IP from X-Forwarded-For with comma-separated IPs", async () => {
+      const mockRequest = {
+        method: "GET",
+        url: "/auth/callback",
+        headers: { "x-forwarded-for": "203.0.113.50, 70.41.3.18" },
+        ip: "127.0.0.1",
+        socket: { remoteAddress: "127.0.0.1" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      const debugSpy = vi.spyOn(controller["logger"], "debug");
+
+      await controller.handleAuth(mockRequest, mockResponse);
+
+      expect(debugSpy).toHaveBeenCalledWith(
+        expect.stringContaining("203.0.113.50"),
+      );
+      // Ensure it does NOT contain the second IP in the extracted position
+      expect(debugSpy).toHaveBeenCalledWith(
+        expect.not.stringContaining("70.41.3.18"),
+      );
+    });
+
+    it("should extract first IP from X-Forwarded-For as array", async () => {
+      const mockRequest = {
+        method: "GET",
+        url: "/auth/callback",
+        headers: { "x-forwarded-for": ["203.0.113.50", "70.41.3.18"] },
+        ip: "127.0.0.1",
+        socket: { remoteAddress: "127.0.0.1" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      const debugSpy = vi.spyOn(controller["logger"], "debug");
+
+      await controller.handleAuth(mockRequest, mockResponse);
+
+      expect(debugSpy).toHaveBeenCalledWith(
+        expect.stringContaining("203.0.113.50"),
+      );
+    });
+
+    it("should fallback to req.ip when no X-Forwarded-For header", async () => {
+      const mockRequest = {
+        method: "GET",
+        url: "/auth/callback",
+        headers: {},
+        ip: "192.168.1.100",
+        socket: { remoteAddress: "192.168.1.100" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      const debugSpy = vi.spyOn(controller["logger"], "debug");
+
+      await controller.handleAuth(mockRequest, mockResponse);
+
+      expect(debugSpy).toHaveBeenCalledWith(
+        expect.stringContaining("192.168.1.100"),
+      );
+    });
+  });
 });
--- a/apps/api/src/auth/auth.service.spec.ts
+++ b/apps/api/src/auth/auth.service.spec.ts
@@ -89,6 +89,23 @@ describe("AuthService", () => {
        },
      });
    });
+
+    it("should return null when user is not found", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+
+      const result = await service.getUserById("nonexistent-id");
+
+      expect(result).toBeNull();
+      expect(mockPrismaService.user.findUnique).toHaveBeenCalledWith({
+        where: { id: "nonexistent-id" },
+        select: {
+          id: true,
+          email: true,
+          name: true,
+          authProviderId: true,
+        },
+      });
+    });
  });

  describe("getUserByEmail", () => {
@@ -115,6 +132,23 @@ describe("AuthService", () => {
        },
      });
    });
+
+    it("should return null when user is not found", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+
+      const result = await service.getUserByEmail("unknown@example.com");
+
+      expect(result).toBeNull();
+      expect(mockPrismaService.user.findUnique).toHaveBeenCalledWith({
+        where: { email: "unknown@example.com" },
+        select: {
+          id: true,
+          email: true,
+          name: true,
+          authProviderId: true,
+        },
+      });
+    });
  });

  describe("isOidcProviderReachable", () => {