[PR #2807] Test api full suite #3167

New Issue

Open

opened 2026-04-16 09:50:52 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-16 09:50:52 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/2807
Author: @jbelke
Created: 4/7/2026
Status: 🔄 Open

Base: dev ← Head: test-api-full-suite

---

📝 Commits (8)

• 1f74e1b Merge pull request #2776 from fosrl/dev
• 16e7233 Merge pull request #2777 from fosrl/dev
• 035644e Merge pull request #2778 from fosrl/dev
• 6ce165b Merge pull request #2780 from fosrl/dev
• 4b3375a Merge pull request #2783 from fosrl/dev
• 3436105 Merge pull request #2784 from fosrl/dev
• da73b19 test: add comprehensive API testing suite with 254 tests
• 39f86ed Merge branch 'fosrl:main' into test-api-full-suite

📊 Changes

12 files changed (+3269 additions, -28 deletions)

View changed files

📝 package-lock.json (+955 -26)
📝 package.json (+6 -2)
➕ test/bugs/identified-bugs.test.ts (+169 -0)
➕ test/lib/ip.test.ts (+249 -0)
➕ test/lib/passwordSchema.test.ts (+71 -0)
➕ test/lib/sanitize.test.ts (+86 -0)
➕ test/lib/utilities.test.ts (+86 -0)
➕ test/lib/validators.test.ts (+279 -0)
➕ test/schemas/auth.test.ts (+480 -0)
➕ test/schemas/resource-org-site-role.test.ts (+488 -0)
➕ test/schemas/user.test.ts (+361 -0)
➕ vitest.config.ts (+39 -0)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

Adds a comprehensive Vitest-based API testing suite with 254 tests across 9 test files covering schema validation, utility/library functions, and bug regression documentation.

What's included

Schema validation tests (Zod):

• Auth: login, signup, resetPassword, changePassword, requestTotpSecret, verifyTotp, disable2fa
• User: inviteUser (role deduplication, validHours boundaries), acceptInvite, createOrgUser
• Resource: HTTP resources (subdomain, stickySession, postAuthPath), raw resources (port range 1-65535)
• Organization: orgId regex validation, CIDR subnet validation
• Site: newt/wireguard/local type enum, exitNodeId, address
• Role: SSH PAM fields, sshSudoMode enum, sshSudoCommands

All schema tests validate strictObject rejection of unexpected fields, email lowercasing, boundary conditions, and required vs. optional field behavior.

Library/utility tests:

• validators — isValidCIDR, isValidIP, isValidDomain, isSecondLevelDomain, isValidUrlGlobPattern, isUrlValid, isTargetValid, validateHeaders
• ip — cidrToRange, findNextAvailableCidr, isIpInCidr, doCidrsOverlap, parseEndpoint, formatEndpoint, portRangeStringSchema, parsePortRangeString
• sanitize — null byte stripping, C0 control character removal, lone UTF-16 surrogate replacement
• passwordSchema — all strength requirements (upper, lower, digit, special), min/max length boundaries
• normalizePostAuthPath — open redirect prevention (//, : rejection), whitespace trimming
• stoi — string-to-integer pass-through behavior

Bug regression tests documenting 6 issues found during code review:

#	Severity	File	Issue
1	Low	signup.ts:4	Unused email named import from zod — will break on Zod v4
2	Medium	signup.ts:272	Only catches SqliteError for unique constraint — PostgreSQL duplicate signups get a 500 instead of "user already exists"
3	Low	resetPassword.ts:174	Response type is ResetPasswordResponse but data: null is set on success
4	Low	external.ts:970	Duplicate GET /idp/:idpId route registration (dead code)
5	Medium	external.ts:1251-1284	2FA rate limiters (enable, request, disable) all use signup: key prefix — rate limit bucket collision
6	Medium	external.ts:1235	Olm get-token rate limiter keys on req.body.newtId instead of req.body.olmId (copy-paste from newt endpoint)

These are documented as tests only; source fixes are intentionally deferred to a follow-up PR.

Infrastructure:

• vitest.config.ts with v8 coverage provider and path aliases
• package.json: added vitest devDependency, test, test:watch, test:coverage scripts

Design notes

• Schema tests re-define Zod schemas inline rather than importing from handler files to avoid pulling in transitive config/db/session dependencies that require a running server
• IP utility tests mock @server/lib/config, @server/db, and @server/logger at the module level since ip.ts imports them at top-level even though the tested functions are pure
• No test touches the database, config files, email, or network — the entire suite runs in ~400ms

How to test?

# Run all tests
npm test

# Run with watch mode
npm run test:watch

# Run with coverage report
npm run test:coverage

# Verify build is unaffected
npm run build

Expected output:

 ✓ test/schemas/auth.test.ts (47 tests) 5ms
 ✓ test/schemas/user.test.ts (34 tests) 4ms
 ✓ test/schemas/resource-org-site-role.test.ts (42 tests) 6ms
 ✓ test/lib/validators.test.ts (50 tests) 8ms
 ✓ test/lib/ip.test.ts (37 tests) 4ms
 ✓ test/lib/sanitize.test.ts (12 tests) 1ms
 ✓ test/lib/passwordSchema.test.ts (12 tests) 1ms
 ✓ test/lib/utilities.test.ts (14 tests) 1ms
 ✓ test/bugs/identified-bugs.test.ts (6 tests) 2ms

 Test Files  9 passed (9)
      Tests  254 passed (254)

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/2807 **Author:** [@jbelke](https://github.com/jbelke) **Created:** 4/7/2026 **Status:** 🔄 Open **Base:** `dev` ← **Head:** `test-api-full-suite` --- ### 📝 Commits (8) - [`1f74e1b`](https://github.com/fosrl/pangolin/commit/1f74e1b320b2a22c2f9f13af4e10893b6df24189) Merge pull request #2776 from fosrl/dev - [`16e7233`](https://github.com/fosrl/pangolin/commit/16e7233a3eaeae171312f154df8109b03c7ca3dc) Merge pull request #2777 from fosrl/dev - [`035644e`](https://github.com/fosrl/pangolin/commit/035644eaf767e4b50339f6d29892436f1c7eb6a5) Merge pull request #2778 from fosrl/dev - [`6ce165b`](https://github.com/fosrl/pangolin/commit/6ce165bfd5b20a0a63b4c170982d8d060825f472) Merge pull request #2780 from fosrl/dev - [`4b3375a`](https://github.com/fosrl/pangolin/commit/4b3375ab8e63c0028a004ee2b30f4a8381c63436) Merge pull request #2783 from fosrl/dev - [`3436105`](https://github.com/fosrl/pangolin/commit/3436105bec4ec3377dad3c0a8f2c2a3934a1f994) Merge pull request #2784 from fosrl/dev - [`da73b19`](https://github.com/fosrl/pangolin/commit/da73b19cacdab6fb8f79f9c0c276c2857c8e3341) test: add comprehensive API testing suite with 254 tests - [`39f86ed`](https://github.com/fosrl/pangolin/commit/39f86edae61320086a3f9091400321c92819f452) Merge branch 'fosrl:main' into test-api-full-suite ### 📊 Changes **12 files changed** (+3269 additions, -28 deletions) <details> <summary>View changed files</summary> 📝 `package-lock.json` (+955 -26) 📝 `package.json` (+6 -2) ➕ `test/bugs/identified-bugs.test.ts` (+169 -0) ➕ `test/lib/ip.test.ts` (+249 -0) ➕ `test/lib/passwordSchema.test.ts` (+71 -0) ➕ `test/lib/sanitize.test.ts` (+86 -0) ➕ `test/lib/utilities.test.ts` (+86 -0) ➕ `test/lib/validators.test.ts` (+279 -0) ➕ `test/schemas/auth.test.ts` (+480 -0) ➕ `test/schemas/resource-org-site-role.test.ts` (+488 -0) ➕ `test/schemas/user.test.ts` (+361 -0) ➕ `vitest.config.ts` (+39 -0) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description Adds a comprehensive Vitest-based API testing suite with **254 tests across 9 test files** covering schema validation, utility/library functions, and bug regression documentation. ### What's included **Schema validation tests (Zod):** - Auth: login, signup, resetPassword, changePassword, requestTotpSecret, verifyTotp, disable2fa - User: inviteUser (role deduplication, validHours boundaries), acceptInvite, createOrgUser - Resource: HTTP resources (subdomain, stickySession, postAuthPath), raw resources (port range 1-65535) - Organization: orgId regex validation, CIDR subnet validation - Site: newt/wireguard/local type enum, exitNodeId, address - Role: SSH PAM fields, sshSudoMode enum, sshSudoCommands All schema tests validate `strictObject` rejection of unexpected fields, email lowercasing, boundary conditions, and required vs. optional field behavior. **Library/utility tests:** - `validators` — isValidCIDR, isValidIP, isValidDomain, isSecondLevelDomain, isValidUrlGlobPattern, isUrlValid, isTargetValid, validateHeaders - `ip` — cidrToRange, findNextAvailableCidr, isIpInCidr, doCidrsOverlap, parseEndpoint, formatEndpoint, portRangeStringSchema, parsePortRangeString - `sanitize` — null byte stripping, C0 control character removal, lone UTF-16 surrogate replacement - `passwordSchema` — all strength requirements (upper, lower, digit, special), min/max length boundaries - `normalizePostAuthPath` — open redirect prevention (`//`, `:` rejection), whitespace trimming - `stoi` — string-to-integer pass-through behavior **Bug regression tests** documenting 6 issues found during code review: | # | Severity | File | Issue | |---|----------|------|-------| | 1 | Low | `signup.ts:4` | Unused `email` named import from `zod` — will break on Zod v4 | | 2 | Medium | `signup.ts:272` | Only catches `SqliteError` for unique constraint — PostgreSQL duplicate signups get a 500 instead of "user already exists" | | 3 | Low | `resetPassword.ts:174` | Response type is `ResetPasswordResponse` but `data: null` is set on success | | 4 | Low | `external.ts:970` | Duplicate `GET /idp/:idpId` route registration (dead code) | | 5 | Medium | `external.ts:1251-1284` | 2FA rate limiters (`enable`, `request`, `disable`) all use `signup:` key prefix — rate limit bucket collision | | 6 | Medium | `external.ts:1235` | Olm `get-token` rate limiter keys on `req.body.newtId` instead of `req.body.olmId` (copy-paste from newt endpoint) | These are documented as tests only; source fixes are intentionally deferred to a follow-up PR. **Infrastructure:** - `vitest.config.ts` with v8 coverage provider and path aliases - `package.json`: added `vitest` devDependency, `test`, `test:watch`, `test:coverage` scripts ### Design notes - Schema tests re-define Zod schemas inline rather than importing from handler files to avoid pulling in transitive config/db/session dependencies that require a running server - IP utility tests mock `@server/lib/config`, `@server/db`, and `@server/logger` at the module level since `ip.ts` imports them at top-level even though the tested functions are pure - No test touches the database, config files, email, or network — the entire suite runs in ~400ms ## How to test? ```bash # Run all tests npm test # Run with watch mode npm run test:watch # Run with coverage report npm run test:coverage # Verify build is unaffected npm run build ``` Expected output: ``` ✓ test/schemas/auth.test.ts (47 tests) 5ms ✓ test/schemas/user.test.ts (34 tests) 4ms ✓ test/schemas/resource-org-site-role.test.ts (42 tests) 6ms ✓ test/lib/validators.test.ts (50 tests) 8ms ✓ test/lib/ip.test.ts (37 tests) 4ms ✓ test/lib/sanitize.test.ts (12 tests) 1ms ✓ test/lib/passwordSchema.test.ts (12 tests) 1ms ✓ test/lib/utilities.test.ts (14 tests) 1ms ✓ test/bugs/identified-bugs.test.ts (6 tests) 2ms Test Files 9 passed (9) Tests 254 passed (254) ``` --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-04-16 09:50:52 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/axios-1.15.2

s3

dependabot/npm_and_yarn/next-intl-4.9.2

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#3167