Add auth tests

sfbrigade · Mar 29, 2024 · 6b0e859 · 6b0e859
1 parent fdfe7f5
commit 6b0e859
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 3 deletions.
diff --git a/server/routes/api/v1/auth/index.js b/server/routes/api/v1/auth/index.js
@@ -37,7 +37,7 @@ export default async function (fastify, _opts) {
         if (!user) {
           return reply.notFound();
         }
-        const result = await bcrypt.compare(password, user.password);
+        const result = await bcrypt.compare(password, user.hashedPassword);
         if (!result) {
           return reply.unauthorized();
         }

diff --git a/server/test/fixtures/db/User.yml b/server/test/fixtures/db/User.yml
@@ -3,6 +3,6 @@ items:
   user1:
     firstName: Admin
     lastName: User
-    email: admin.user@gmail.com
+    email: admin.user@test.com
     role: ADMIN
     hashedPassword: $2b$10$ICaCk3VVZUCtO9HySahquuQusQhEnRpXHdzxaceUUJPk0DTwN2e/W # test
diff --git a/server/test/routes/api/v1/auth.test.js b/server/test/routes/api/v1/auth.test.js
@@ -9,10 +9,37 @@ describe('/api/v1/auth', () => {
     it('should return not found for email that is not registered', async (t) => {
       const app = await build(t);
       const response = await app.inject().post('/api/v1/auth/login').payload({
-        email: 'not.found@gmail.com',
+        email: 'not.found@test.com',
         password: 'test',
       });
       assert.deepStrictEqual(response.statusCode, StatusCodes.NOT_FOUND);
     });
+
+    it('should return unauthorized for invalid password', async (t) => {
+      const app = await build(t);
+      await t.loadFixtures();
+      const response = await app.inject().post('/api/v1/auth/login').payload({
+        email: '[email protected]',
+        password: 'invalid',
+      });
+      assert.deepStrictEqual(response.statusCode, StatusCodes.UNAUTHORIZED);
+    });
+
+    it('should return ok and a secure session cookie for valid credentials', async (t) => {
+      const app = await build(t);
+      await t.loadFixtures();
+      const response = await app.inject().post('/api/v1/auth/login').payload({
+        email: '[email protected]',
+        password: 'test',
+      });
+      assert.deepStrictEqual(response.statusCode, StatusCodes.OK);
+      const cookie = response.headers['set-cookie']
+        ?.split(';')
+        .map((t) => t.trim());
+      assert.ok(cookie[0].startsWith('session='));
+      assert.ok(cookie.includes('HttpOnly'));
+      assert.ok(cookie.includes('Secure'));
+      assert.ok(cookie.includes('SameSite=Strict'));
+    });
   });
 });