fix(#5,#36): Fix critical security issues and add comprehensive tests

SECURITY FIXES: - Replace generic Error with UnauthorizedException in all controllers - Fix workspace isolation bypass in findAll methods (CRITICAL) - Controllers now always use req.user.workspaceId, never allow query override CODE FIXES: - Fix redundant priority logic in tasks.service.ts - Use TaskPriority.MEDIUM as default instead of undefined TEST ADDITIONS: - Add multi-tenant isolation tests for all services (tasks, events, projects) - Add database constraint violation handling tests (P2002, P2003, P2025) - Add missing controller error tests for events and projects controllers - All new tests verify authentication and workspace isolation RESULTS: - All 247 tests passing - Test coverage: 94.35% (exceeds 85% requirement) - Critical security vulnerabilities fixed Fixes #5 Refs #36 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-28 18:55:07 -06:00
parent 132fe6ba98
commit a220c2dc0a
10 changed files with 417 additions and 21 deletions
--- a/apps/api/src/projects/projects.controller.spec.ts
+++ b/apps/api/src/projects/projects.controller.spec.ts
@@ -97,6 +97,16 @@ describe("ProjectsController", () => {
        createDto
      );
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.create({ name: "Test" }, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("findAll", () => {
@@ -121,6 +131,16 @@ describe("ProjectsController", () => {

      expect(result).toEqual(paginatedResult);
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.findAll({}, requestWithoutWorkspace as any)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("findOne", () => {
@@ -131,6 +151,16 @@ describe("ProjectsController", () => {

      expect(result).toEqual(mockProject);
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.findOne(mockProjectId, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("update", () => {
@@ -146,6 +176,16 @@ describe("ProjectsController", () => {

      expect(result).toEqual(updatedProject);
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.update(mockProjectId, { name: "Test" }, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("remove", () => {
@@ -160,5 +200,15 @@ describe("ProjectsController", () => {
        mockUserId
      );
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.remove(mockProjectId, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });
 });