Krow-workspace/backend/unified-api/test/app.test.js

import test from 'node:test';
import assert from 'node:assert/strict';
import request from 'supertest';
import { createApp } from '../src/app.js';

process.env.AUTH_BYPASS = 'true';

test('GET /healthz returns healthy response', async () => {
  const app = createApp();
  const res = await request(app).get('/healthz');

  assert.equal(res.status, 200);
  assert.equal(res.body.ok, true);
  assert.equal(res.body.service, 'krow-api-v2');
});

test('GET /readyz reports database not configured when env is absent', async () => {
  delete process.env.DATABASE_URL;
  delete process.env.DB_HOST;
  delete process.env.DB_NAME;
  delete process.env.DB_USER;
  delete process.env.DB_PASSWORD;
  delete process.env.INSTANCE_CONNECTION_NAME;

  const app = createApp();
  const res = await request(app).get('/readyz');

  assert.equal(res.status, 503);
  assert.equal(res.body.status, 'DATABASE_NOT_CONFIGURED');
});

test('createApp fails fast in protected env when upstream config is unsafe', async () => {
  process.env.APP_ENV = 'staging';
  process.env.AUTH_BYPASS = 'true';
  delete process.env.CORE_API_BASE_URL;
  delete process.env.COMMAND_API_BASE_URL;
  delete process.env.QUERY_API_BASE_URL;

  assert.throws(() => createApp(), /AUTH_BYPASS must be disabled/);

  delete process.env.APP_ENV;
  process.env.AUTH_BYPASS = 'true';
});

test('POST /auth/client/sign-in validates payload', async () => {
  const app = createApp();
  const res = await request(app).post('/auth/client/sign-in').send({
    email: 'bad-email',
    password: 'short',
  });

  assert.equal(res.status, 400);
  assert.equal(res.body.code, 'VALIDATION_ERROR');
});

test('POST /auth/client/sign-in returns injected auth envelope', async () => {
  const app = createApp({
    authService: {
      parseClientSignIn: (body) => body,
      parseClientSignUp: (body) => body,
      signInClient: async () => ({
        sessionToken: 'token',
        refreshToken: 'refresh',
        expiresInSeconds: 3600,
        user: { id: 'u1', email: 'legendary@krowd.com' },
        tenant: { tenantId: 't1' },
        business: { businessId: 'b1' },
      }),
      signUpClient: async () => assert.fail('signUpClient should not be called'),
      signOutActor: async () => ({ signedOut: true }),
      getSessionForActor: async () => ({ user: { userId: 'u1' } }),
    },
  });

  const res = await request(app).post('/auth/client/sign-in').send({
    email: 'legendary@krowd.com',
    password: 'super-secret',
  });

  assert.equal(res.status, 200);
  assert.equal(res.body.sessionToken, 'token');
  assert.equal(res.body.business.businessId, 'b1');
});

test('GET /auth/session returns injected session for authenticated actor', async () => {
  const app = createApp({
    authService: {
      parseClientSignIn: (body) => body,
      parseClientSignUp: (body) => body,
      signInClient: async () => assert.fail('signInClient should not be called'),
      signUpClient: async () => assert.fail('signUpClient should not be called'),
      signOutActor: async () => ({ signedOut: true }),
      getSessionForActor: async (actor) => ({ actorUid: actor.uid }),
    },
  });

  const res = await request(app)
    .get('/auth/session')
    .set('Authorization', 'Bearer test-token');

  assert.equal(res.status, 200);
  assert.equal(res.body.actorUid, 'test-user');
});

test('proxy forwards query routes to query base url', async () => {
  process.env.QUERY_API_BASE_URL = 'https://query.example';
  process.env.CORE_API_BASE_URL = 'https://core.example';
  process.env.COMMAND_API_BASE_URL = 'https://command.example';

  let seenUrl = null;
  const app = createApp({
    fetchImpl: async (url) => {
      seenUrl = `${url}`;
      return new Response(JSON.stringify({ ok: true }), {
        status: 200,
        headers: { 'content-type': 'application/json' },
      });
    },
  });

  const res = await request(app).get('/query/test-route?foo=bar');

  assert.equal(res.status, 200);
  assert.equal(seenUrl, 'https://query.example/query/test-route?foo=bar');
});

test('proxy forwards direct client read routes to query api', async () => {
  process.env.QUERY_API_BASE_URL = 'https://query.example';
  process.env.CORE_API_BASE_URL = 'https://core.example';
  process.env.COMMAND_API_BASE_URL = 'https://command.example';

  let seenUrl = null;
  const app = createApp({
    fetchImpl: async (url) => {
      seenUrl = `${url}`;
      return new Response(JSON.stringify({ ok: true }), {
        status: 200,
        headers: { 'content-type': 'application/json' },
      });
    },
  });

  const res = await request(app).get('/client/dashboard');

  assert.equal(res.status, 200);
  assert.equal(seenUrl, 'https://query.example/query/client/dashboard');
});

test('proxy forwards direct client write routes to command api', async () => {
  process.env.QUERY_API_BASE_URL = 'https://query.example';
  process.env.CORE_API_BASE_URL = 'https://core.example';
  process.env.COMMAND_API_BASE_URL = 'https://command.example';

  let seenUrl = null;
  const app = createApp({
    fetchImpl: async (url) => {
      seenUrl = `${url}`;
      return new Response(JSON.stringify({ ok: true }), {
        status: 200,
        headers: { 'content-type': 'application/json' },
      });
    },
  });

  const res = await request(app)
    .post('/client/orders/one-time')
    .set('Authorization', 'Bearer test-token')
    .send({ ok: true });

  assert.equal(res.status, 200);
  assert.equal(seenUrl, 'https://command.example/commands/client/orders/one-time');
});

test('proxy forwards direct core upload aliases to core api', async () => {
  process.env.QUERY_API_BASE_URL = 'https://query.example';
  process.env.CORE_API_BASE_URL = 'https://core.example';
  process.env.COMMAND_API_BASE_URL = 'https://command.example';

  let seenUrl = null;
  const app = createApp({
    fetchImpl: async (url) => {
      seenUrl = `${url}`;
      return new Response(JSON.stringify({ ok: true }), {
        status: 200,
        headers: { 'content-type': 'application/json' },
      });
    },
  });

  const res = await request(app)
    .post('/staff/profile/certificates')
    .set('Authorization', 'Bearer test-token')
    .send({ ok: true });

  assert.equal(res.status, 200);
  assert.equal(seenUrl, 'https://core.example/core/staff/certificates/upload');
});

test('proxy forwards PUT document upload aliases to core api', async () => {
  process.env.QUERY_API_BASE_URL = 'https://query.example';
  process.env.CORE_API_BASE_URL = 'https://core.example';
  process.env.COMMAND_API_BASE_URL = 'https://command.example';

  let seenUrl = null;
  let seenMethod = null;
  const app = createApp({
    fetchImpl: async (url, init = {}) => {
      seenUrl = `${url}`;
      seenMethod = init.method;
      return new Response(JSON.stringify({ ok: true }), {
        status: 200,
        headers: { 'content-type': 'application/json' },
      });
    },
  });

  const res = await request(app)
    .put('/staff/profile/documents/doc-1/upload')
    .set('Authorization', 'Bearer test-token')
    .send({ verificationId: 'verification-1' });

  assert.equal(res.status, 200);
  assert.equal(seenMethod, 'PUT');
  assert.equal(seenUrl, 'https://core.example/core/staff/documents/doc-1/upload');
});

test('proxy forwards rapid order process alias to core api', async () => {
  process.env.QUERY_API_BASE_URL = 'https://query.example';
  process.env.CORE_API_BASE_URL = 'https://core.example';
  process.env.COMMAND_API_BASE_URL = 'https://command.example';

  let seenUrl = null;
  const app = createApp({
    fetchImpl: async (url) => {
      seenUrl = `${url}`;
      return new Response(JSON.stringify({ ok: true }), {
        status: 200,
        headers: { 'content-type': 'application/json' },
      });
    },
  });

  const res = await request(app)
    .post('/rapid-orders/process')
    .set('Authorization', 'Bearer test-token')
    .send({ text: 'Need 2 servers ASAP for 4 hours' });

  assert.equal(res.status, 200);
  assert.equal(seenUrl, 'https://core.example/core/rapid-orders/process');
});