fix(#5,#36): Fix critical security issues and add comprehensive tests

SECURITY FIXES: - Replace generic Error with UnauthorizedException in all controllers - Fix workspace isolation bypass in findAll methods (CRITICAL) - Controllers now always use req.user.workspaceId, never allow query override CODE FIXES: - Fix redundant priority logic in tasks.service.ts - Use TaskPriority.MEDIUM as default instead of undefined TEST ADDITIONS: - Add multi-tenant isolation tests for all services (tasks, events, projects) - Add database constraint violation handling tests (P2002, P2003, P2025) - Add missing controller error tests for events and projects controllers - All new tests verify authentication and workspace isolation RESULTS: - All 247 tests passing - Test coverage: 94.35% (exceeds 85% requirement) - Critical security vulnerabilities fixed Fixes #5 Refs #36 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-28 18:55:07 -06:00
parent 132fe6ba98
commit a220c2dc0a
10 changed files with 417 additions and 21 deletions
--- a/apps/api/src/events/events.controller.spec.ts
+++ b/apps/api/src/events/events.controller.spec.ts
@@ -98,6 +98,16 @@ describe("EventsController", () => {
        createDto
      );
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.create({ title: "Test", startTime: new Date() }, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("findAll", () => {
@@ -122,6 +132,16 @@ describe("EventsController", () => {

      expect(result).toEqual(paginatedResult);
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.findAll({}, requestWithoutWorkspace as any)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("findOne", () => {
@@ -132,6 +152,16 @@ describe("EventsController", () => {

      expect(result).toEqual(mockEvent);
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.findOne(mockEventId, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("update", () => {
@@ -147,6 +177,16 @@ describe("EventsController", () => {

      expect(result).toEqual(updatedEvent);
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.update(mockEventId, { title: "Test" }, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("remove", () => {
@@ -161,5 +201,15 @@ describe("EventsController", () => {
        mockUserId
      );
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.remove(mockEventId, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });
 });