torbo/flyer-crawler.projectium.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

latest batch of fixes after frontend testing - almost done?
Some checks failed
Deploy to Test Environment / deploy-to-test (push) Failing after 1m7s
Details

Browse Source
This commit is contained in:
Torben Sorensen
2026-01-18 18:23:14 -08:00
parent bdb2e274cc
commit 327d3d4fbc
9 changed files with 182 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
src/config/passport.ts
View File

@@ -353,6 +353,50 @@ passport.use(
}),
);
// --- Custom Error Class for Unauthorized Access ---
class UnauthorizedError extends Error {
status: number;
constructor(message: string) {
super(message);
this.name = 'UnauthorizedError';
this.status = 401;
}
}
/**
* A required authentication middleware that returns standardized error responses.
* Unlike the default passport.authenticate(), this middleware ensures that 401 responses
* follow our API response format with { success: false, error: { code, message } }.
*
* Use this instead of `passport.authenticate('jwt', { session: false })` to ensure
* consistent error responses per ADR-028.
*/
export const requireAuth = (req: Request, res: Response, next: NextFunction) => {
passport.authenticate(
'jwt',
{ session: false },
(err: Error | null, user: Express.User | false, info: { message: string } | Error) => {
if (err) {
// An actual error occurred during authentication
req.log.error({ error: err }, 'Authentication error');
return next(err);
}
if (!user) {
// Authentication failed - return standardized error through error handler
const message =
info instanceof Error ? info.message : info?.message || 'Authentication required.';
req.log.warn({ info: message }, 'JWT authentication failed');
return next(new UnauthorizedError(message));
}
// Authentication succeeded - attach user and proceed
req.user = user;
next();
},
)(req, res, next);
};
// --- Middleware for Admin Role Check ---
export const isAdmin = (req: Request, res: Response, next: NextFunction) => {
// Use the type guard for safer access to req.user

6
src/routes/deals.routes.ts
View File

@@ -1,7 +1,7 @@
// src/routes/deals.routes.ts
import express, { type Request, type Response, type NextFunction } from 'express';
import { z } from 'zod';
import passport from '../config/passport';
import { requireAuth } from '../config/passport';
import { dealsRepo } from '../services/db/deals.db';
import type { UserProfile } from '../types';
import { validateRequest } from '../middleware/validation.middleware';
@@ -19,8 +19,8 @@ const bestWatchedPricesSchema = z.object({
// --- Middleware for all deal routes ---
// Per ADR-002, all routes in this file require an authenticated user.
// We apply the standard passport JWT middleware at the router level.
router.use(passport.authenticate('jwt', { session: false }));
// We apply the requireAuth middleware which returns standardized 401 responses per ADR-028.
router.use(requireAuth);
/**
* @openapi

49
src/routes/user.routes.ts
View File

@@ -338,7 +338,7 @@ router.post(
* description: Notification not found
*/
const notificationIdSchema = numericIdParam('notificationId');
type MarkNotificationReadRequest = z.infer<typeof notificationIdSchema>;
type NotificationIdRequest = z.infer<typeof notificationIdSchema>;
router.post(
'/notifications/:notificationId/mark-read',
validateRequest(notificationIdSchema),
@@ -346,7 +346,7 @@ router.post(
try {
const userProfile = req.user as UserProfile;
// Apply ADR-003 pattern for type safety
const { params } = req as unknown as MarkNotificationReadRequest;
const { params } = req as unknown as NotificationIdRequest;
await db.notificationRepo.markNotificationAsRead(
params.notificationId,
userProfile.user.user_id,
@@ -360,6 +360,51 @@ router.post(
},
);
/**
* @openapi
* /users/notifications/{notificationId}:
* delete:
* tags: [Users]
* summary: Delete a notification
* description: Delete a specific notification by its ID. Users can only delete their own notifications.
* security:
* - bearerAuth: []
* parameters:
* - in: path
* name: notificationId
* required: true
* schema:
* type: integer
* description: ID of the notification to delete
* responses:
* 204:
* description: Notification deleted successfully
* 401:
* description: Unauthorized - invalid or missing token
* 404:
* description: Notification not found or user does not have permission
*/
router.delete(
'/notifications/:notificationId',
validateRequest(notificationIdSchema),
async (req: Request, res: Response, next: NextFunction) => {
try {
const userProfile = req.user as UserProfile;
// Apply ADR-003 pattern for type safety
const { params } = req as unknown as NotificationIdRequest;
await db.notificationRepo.deleteNotification(
params.notificationId,
userProfile.user.user_id,
req.log,
);
sendNoContent(res);
} catch (error) {
req.log.error({ error }, 'Error deleting notification');
next(error);
}
},
);
/**
* @openapi
* /users/profile:

12
src/services/db/deals.db.ts
View File

@@ -32,7 +32,7 @@ export class DealsRepository {
const query = `
WITH UserWatchedItems AS (
-- Select all items the user is watching
SELECT master_item_id FROM watched_items WHERE user_id = $1
SELECT master_item_id FROM user_watched_items WHERE user_id = $1
),
RankedPrices AS (
-- Find all current sale prices for those items and rank them
@@ -70,9 +70,15 @@ export class DealsRepository {
const { rows } = await this.db.query<WatchedItemDeal>(query, [userId]);
return rows;
} catch (error) {
handleDbError(error, logger, 'Database error in findBestPricesForWatchedItems', { userId }, {
handleDbError(
error,
logger,
'Database error in findBestPricesForWatchedItems',
{ userId },
{
defaultMessage: 'Failed to find best prices for watched items.',
});
},
);
}
}
}

29
src/services/db/notification.db.ts
View File

@@ -213,6 +213,35 @@ export class NotificationRepository {
}
}
/**
* Deletes a single notification for a specific user.
* Ensures that a user can only delete their own notifications.
* @param notificationId The ID of the notification to delete.
* @param userId The ID of the user who owns the notification.
* @throws NotFoundError if the notification is not found or does not belong to the user.
*/
async deleteNotification(notificationId: number, userId: string, logger: Logger): Promise<void> {
try {
const res = await this.db.query(
`DELETE FROM public.notifications WHERE notification_id = $1 AND user_id = $2`,
[notificationId, userId],
);
if (res.rowCount === 0) {
throw new NotFoundError('Notification not found or user does not have permission.');
}
} catch (error) {
handleDbError(
error,
logger,
'Database error in deleteNotification',
{ notificationId, userId },
{
defaultMessage: 'Failed to delete notification.',
},
);
}
}
/**
* Deletes notifications that are older than a specified number of days.
* This is intended for a periodic cleanup job.

6
src/tests/e2e/admin-dashboard.e2e.test.ts
View File

@@ -75,9 +75,11 @@ describe('E2E Admin Dashboard Flow', () => {
expect(usersResponse.status).toBe(200);
const usersResponseBody = await usersResponse.json();
expect(Array.isArray(usersResponseBody.data)).toBe(true);
expect(usersResponseBody.data).toHaveProperty('users');
expect(usersResponseBody.data).toHaveProperty('total');
expect(Array.isArray(usersResponseBody.data.users)).toBe(true);
// The list should contain the admin user we just created
const self = usersResponseBody.data.find((u: any) => u.user_id === adminUserId);
const self = usersResponseBody.data.users.find((u: any) => u.user_id === adminUserId);
expect(self).toBeDefined();
// 6. Check Queue Status (Protected Admin Route)

23
src/tests/integration/deals.integration.test.ts
View File

@@ -42,11 +42,12 @@ describe('Deals API Routes Integration Tests', () => {
it('should require authentication', async () => {
const response = await request.get('/api/deals/best-watched-prices');
// Passport returns 401 Unauthorized for unauthenticated requests
expect(response.status).toBe(401);
expect(response.body.success).toBe(false);
});
it('should return watched item deals for authenticated user', async () => {
it('should return empty array for authenticated user with no watched items', async () => {
// The test user has no watched items by default, so should get empty array
const response = await request
.get('/api/deals/best-watched-prices')
.set('Authorization', `Bearer ${authToken}`);
@@ -56,24 +57,6 @@ describe('Deals API Routes Integration Tests', () => {
expect(response.body.data).toBeInstanceOf(Array);
});
it('should return empty array when user has no watched items', async () => {
// New test user with no watched items
const { token: newUserToken, user: newUser } = await createAndLoginUser({
email: `deals-no-watch-${Date.now()}@example.com`,
fullName: 'No Watch User',
request,
});
createdUserIds.push(newUser.user.user_id);
const response = await request
.get('/api/deals/best-watched-prices')
.set('Authorization', `Bearer ${newUserToken}`);
expect(response.status).toBe(200);
expect(response.body.success).toBe(true);
expect(response.body.data).toEqual([]);
});
it('should reject invalid JWT token', async () => {
const response = await request
.get('/api/deals/best-watched-prices')

5
src/tests/integration/public.routes.integration.test.ts
View File

@@ -167,8 +167,11 @@ describe('Public API Routes Integration Tests', () => {
it('GET /api/personalization/master-items should return a list of master grocery items', async () => {
const response = await request.get('/api/personalization/master-items');
const masterItems = response.body.data;
expect(response.status).toBe(200);
// The endpoint returns { items: [...], total: N } for pagination support
expect(response.body.data).toHaveProperty('items');
expect(response.body.data).toHaveProperty('total');
const masterItems = response.body.data.items;
expect(masterItems).toBeInstanceOf(Array);
expect(masterItems.length).toBeGreaterThan(0); // This relies on seed data for master items.
expect(masterItems[0]).toHaveProperty('master_grocery_item_id');

25
src/tests/setup/tests-setup-unit.ts
View File

@@ -36,6 +36,8 @@ if (typeof global.GeolocationPositionError === 'undefined') {
// Mock window.matchMedia, which is not implemented in JSDOM.
// This is necessary for components that check for the user's preferred color scheme.
// Guard against node environment where window doesn't exist (integration tests).
if (typeof window !== 'undefined') {
Object.defineProperty(window, 'matchMedia', {
writable: true,
value: vi.fn().mockImplementation((query) => ({
@@ -49,6 +51,7 @@ Object.defineProperty(window, 'matchMedia', {
dispatchEvent: vi.fn(),
})),
});
}
// --- Polyfill for File constructor and prototype ---
// The `File` object in JSDOM is incomplete. It lacks `arrayBuffer` and its constructor
@@ -334,12 +337,34 @@ vi.mock('../../services/aiApiClient', () => ({
vi.mock('@bull-board/express', () => ({
ExpressAdapter: class {
setBasePath() {}
setQueues() {} // Required by createBullBoard
setViewsPath() {} // Required by createBullBoard
setStaticPath() {} // Required by createBullBoard
setEntryRoute() {} // Required by createBullBoard
setErrorHandler() {} // Required by createBullBoard
setApiRoutes() {} // Required by createBullBoard
getRouter() {
return (req: Request, res: Response, next: NextFunction) => next();
}
},
}));
/**
* Mocks the @bull-board/api module.
* createBullBoard normally calls methods on the serverAdapter, but in tests
* we want to skip all of that initialization.
*/
vi.mock('@bull-board/api', () => ({
createBullBoard: vi.fn(() => ({
addQueue: vi.fn(),
removeQueue: vi.fn(),
setQueues: vi.fn(),
})),
BullMQAdapter: class {
constructor() {}
},
}));
/**
* Mocks the Sentry client.
* This prevents errors when tests import modules that depend on sentry.client.ts.