"use strict"; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); const vitest_1 = require("vitest"); const express_1 = __importDefault(require("express")); const bcryptjs_1 = __importDefault(require("bcryptjs")); const jsonwebtoken_1 = __importDefault(require("jsonwebtoken")); const supertest_1 = __importDefault(require("supertest")); const client_1 = require("@prisma/client"); const prisma = new client_1.PrismaClient(); const JWT_SECRET = 'test-secret-key'; function createApp() { const app = (0, express_1.default)(); app.use(express_1.default.json()); app.post('/register', async (req, res) => { try { const { email, password, name, inviteCode } = req.body; if (!email || !password || !name) { return res.status(400).json({ error: 'Email, password, and name are required' }); } const settings = await prisma.systemSettings.findUnique({ where: { id: 'default' } }); const isBanned = await prisma.bannedEmail.findUnique({ where: { email: email.toLowerCase() } }); if (isBanned) { return res.status(403).json({ error: 'This email is not allowed to register' }); } if (settings && !settings.registrationEnabled) { if (!inviteCode || settings.inviteCode !== inviteCode) { return res.status(403).json({ error: 'Registration is currently closed. An invite code may be required.' }); } } const existingUser = await prisma.user.findUnique({ where: { email } }); if (existingUser) { return res.status(400).json({ error: 'Email already registered' }); } const passwordHash = await bcryptjs_1.default.hash(password, 10); const userCount = await prisma.user.count(); const isFirstUser = userCount === 0; const user = await prisma.user.create({ data: { email, passwordHash, name, isAdmin: isFirstUser } }); const token = jsonwebtoken_1.default.sign({ userId: user.id }, JWT_SECRET, { expiresIn: '7d' }); res.json({ token, user: { id: user.id, email: user.email, name: user.name, isAdmin: user.isAdmin } }); } catch (error) { console.error('Register error:', error); res.status(500).json({ error: 'Failed to register' }); } }); app.post('/login', async (req, res) => { try { const { email, password } = req.body; if (!email || !password) { return res.status(400).json({ error: 'Email and password are required' }); } const user = await prisma.user.findUnique({ where: { email } }); if (!user) { return res.status(401).json({ error: 'Invalid credentials' }); } const validPassword = await bcryptjs_1.default.compare(password, user.passwordHash); if (!validPassword) { return res.status(401).json({ error: 'Invalid credentials' }); } const token = jsonwebtoken_1.default.sign({ userId: user.id }, JWT_SECRET, { expiresIn: '7d' }); res.json({ token, user: { id: user.id, email: user.email, name: user.name, isAdmin: user.isAdmin } }); } catch (error) { console.error('Login error:', error); res.status(500).json({ error: 'Failed to login' }); } }); app.get('/me', async (req, res) => { try { const authHeader = req.headers.authorization; if (!authHeader || !authHeader.startsWith('Bearer ')) { return res.status(401).json({ error: 'No token provided' }); } const token = authHeader.split(' ')[1]; const decoded = jsonwebtoken_1.default.verify(token, JWT_SECRET); const user = await prisma.user.findUnique({ where: { id: decoded.userId }, select: { id: true, email: true, name: true, isAdmin: true, isApiEnabled: true, createdAt: true } }); if (!user) { return res.status(401).json({ error: 'User not found' }); } res.json(user); } catch { res.status(401).json({ error: 'Invalid token' }); } }); return app; } (0, vitest_1.describe)('Auth Routes', () => { let app; async function cleanup() { await prisma.routeLeg.deleteMany(); await prisma.route.deleteMany(); await prisma.teamRoute.deleteMany(); await prisma.teamMember.deleteMany(); await prisma.team.deleteMany(); await prisma.photoSubmission.deleteMany(); await prisma.chatMessage.deleteMany(); await prisma.locationHistory.deleteMany(); await prisma.game.deleteMany(); await prisma.user.deleteMany(); await prisma.systemSettings.deleteMany(); await prisma.bannedEmail.deleteMany(); await prisma.apiKey.deleteMany(); } (0, vitest_1.beforeAll)(async () => { app = createApp(); await cleanup(); }); (0, vitest_1.afterAll)(async () => { await cleanup(); await prisma.$disconnect(); }); (0, vitest_1.beforeEach)(async () => { await cleanup(); }); (0, vitest_1.afterAll)(async () => { await prisma.user.deleteMany(); await prisma.systemSettings.deleteMany(); await prisma.bannedEmail.deleteMany(); await prisma.$disconnect(); }); (0, vitest_1.beforeEach)(async () => { await prisma.user.deleteMany(); await prisma.systemSettings.deleteMany(); await prisma.bannedEmail.deleteMany(); }); (0, vitest_1.describe)('POST /register', () => { (0, vitest_1.it)('should register a new user successfully', async () => { const res = await (0, supertest_1.default)(app) .post('/register') .send({ email: 'test@example.com', password: 'password123', name: 'Test User' }); (0, vitest_1.expect)(res.status).toBe(200); (0, vitest_1.expect)(res.body).toHaveProperty('token'); (0, vitest_1.expect)(res.body.user).toHaveProperty('id'); (0, vitest_1.expect)(res.body.user.email).toBe('test@example.com'); (0, vitest_1.expect)(res.body.user.name).toBe('Test User'); }); (0, vitest_1.it)('should return error when email is missing', async () => { const res = await (0, supertest_1.default)(app) .post('/register') .send({ password: 'password123', name: 'Test User' }); (0, vitest_1.expect)(res.status).toBe(400); (0, vitest_1.expect)(res.body.error).toContain('required'); }); (0, vitest_1.it)('should return error when email already exists', async () => { await (0, supertest_1.default)(app) .post('/register') .send({ email: 'test@example.com', password: 'password123', name: 'Test User' }); const res = await (0, supertest_1.default)(app) .post('/register') .send({ email: 'test@example.com', password: 'password456', name: 'Another User' }); (0, vitest_1.expect)(res.status).toBe(400); (0, vitest_1.expect)(res.body.error).toContain('already registered'); }); (0, vitest_1.it)('should not register a banned email', async () => { await prisma.bannedEmail.create({ data: { email: 'banned@example.com', reason: 'Test ban' } }); const res = await (0, supertest_1.default)(app) .post('/register') .send({ email: 'banned@example.com', password: 'password123', name: 'Banned User' }); (0, vitest_1.expect)(res.status).toBe(403); (0, vitest_1.expect)(res.body.error).toContain('not allowed'); }); (0, vitest_1.it)('should require invite code when registration is disabled', async () => { await prisma.systemSettings.create({ data: { id: 'default', registrationEnabled: false } }); const res = await (0, supertest_1.default)(app) .post('/register') .send({ email: 'test@example.com', password: 'password123', name: 'Test User' }); (0, vitest_1.expect)(res.status).toBe(403); (0, vitest_1.expect)(res.body.error).toContain('invite code'); }); (0, vitest_1.it)('should allow registration with valid invite code when registration is disabled', async () => { await prisma.systemSettings.create({ data: { id: 'default', registrationEnabled: false, inviteCode: 'VALID123' } }); const res = await (0, supertest_1.default)(app) .post('/register') .send({ email: 'test@example.com', password: 'password123', name: 'Test User', inviteCode: 'VALID123' }); (0, vitest_1.expect)(res.status).toBe(200); }); }); (0, vitest_1.describe)('POST /login', () => { (0, vitest_1.beforeEach)(async () => { const passwordHash = await bcryptjs_1.default.hash('password123', 10); await prisma.user.create({ data: { email: 'test@example.com', passwordHash, name: 'Test User' } }); }); (0, vitest_1.it)('should login successfully with valid credentials', async () => { const res = await (0, supertest_1.default)(app) .post('/login') .send({ email: 'test@example.com', password: 'password123' }); (0, vitest_1.expect)(res.status).toBe(200); (0, vitest_1.expect)(res.body).toHaveProperty('token'); (0, vitest_1.expect)(res.body.user.email).toBe('test@example.com'); }); (0, vitest_1.it)('should return error with invalid password', async () => { const res = await (0, supertest_1.default)(app) .post('/login') .send({ email: 'test@example.com', password: 'wrongpassword' }); (0, vitest_1.expect)(res.status).toBe(401); (0, vitest_1.expect)(res.body.error).toBe('Invalid credentials'); }); (0, vitest_1.it)('should return error for non-existent user', async () => { const res = await (0, supertest_1.default)(app) .post('/login') .send({ email: 'nonexistent@example.com', password: 'password123' }); (0, vitest_1.expect)(res.status).toBe(401); (0, vitest_1.expect)(res.body.error).toBe('Invalid credentials'); }); (0, vitest_1.it)('should return error when email is missing', async () => { const res = await (0, supertest_1.default)(app) .post('/login') .send({ password: 'password123' }); (0, vitest_1.expect)(res.status).toBe(400); }); }); (0, vitest_1.describe)('GET /me', () => { let token; let userId; (0, vitest_1.beforeEach)(async () => { const passwordHash = await bcryptjs_1.default.hash('password123', 10); const user = await prisma.user.create({ data: { email: 'test@example.com', passwordHash, name: 'Test User', isAdmin: true } }); userId = user.id; token = jsonwebtoken_1.default.sign({ userId: user.id }, JWT_SECRET, { expiresIn: '7d' }); }); (0, vitest_1.it)('should return user data with valid token', async () => { const res = await (0, supertest_1.default)(app) .get('/me') .set('Authorization', `Bearer ${token}`); (0, vitest_1.expect)(res.status).toBe(200); (0, vitest_1.expect)(res.body.id).toBe(userId); (0, vitest_1.expect)(res.body.email).toBe('test@example.com'); (0, vitest_1.expect)(res.body.isAdmin).toBe(true); }); (0, vitest_1.it)('should return 401 without token', async () => { const res = await (0, supertest_1.default)(app).get('/me'); (0, vitest_1.expect)(res.status).toBe(401); }); (0, vitest_1.it)('should return 401 with invalid token', async () => { const res = await (0, supertest_1.default)(app) .get('/me') .set('Authorization', 'Bearer invalid-token'); (0, vitest_1.expect)(res.status).toBe(401); }); }); });