Skip to content

Add comprehensive controller-level tests for remittance, score, admin… #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Delightech28 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add comprehensive controller-level tests for remittance, score, admin… #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
335 changes: 335 additions & 0 deletions TEST_IMPLEMENTATION_SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,335 @@
# Controller Tests Implementation Summary

## Overview
Successfully implemented comprehensive controller-level tests for all required endpoints per issue #19, following the supertest-based testing pattern established in the codebase.

## Test Files Created

### 1. remittanceController.test.ts
**Location**: `src/__tests__/remittanceController.test.ts`
**Coverage**:
- βœ… POST /api/remittances - Create remittance
- Unauthorized rejection (401)
- Happy path creation with auth (201)
- Validation (missing recipientAddress, amount)

- βœ… GET /api/remittances - List user's remittances
- Unauthorized rejection (401)
- Empty list response
- Full list with pagination
- Status filtering

- βœ… GET /api/remittances/:id - Get single remittance
- Unauthorized rejection (401)
- Forbidden access for non-owner (403)
- Happy path retrieval
- 404 handling

- βœ… POST /api/remittances/:id/submit - Submit signed transaction
- Unauthorized rejection (401)
- Forbidden access for non-owner (403)
- Rejection for non-pending status
- Happy path submission with status transitions
- Error handling with failed status update

**Authorization & Ownership Tests**:
- βœ… Wallet ownership enforcement on create
- βœ… Wallet ownership enforcement on get
- βœ… Wallet ownership enforcement on submit

**Test Count**: 20 tests covering unauthorized, forbidden, and happy-path cases

---

### 2. scoreController.test.ts
**Location**: `src/__tests__/scoreController.test.ts`
**Coverage**:
- βœ… GET /api/score/:userId - Get user's score
- Unauthorized rejection (401)
- Forbidden access when userId β‰  JWT wallet (403)
- Happy path score retrieval
- Default score (500) when no score exists
- Credit band classification (Excellent, Good, Fair, Poor)
- Score factors in response

- βœ… POST /api/score/update - Update score (API key protected)
- Missing/invalid API key rejection (401)
- On-time repayment (+15 delta)
- Late repayment (-30 delta)
- Score clamping (300-850 range)
- New user score creation
- Cache invalidation
- Validation (missing userId, onTime)

- βœ… GET /api/score/:userId/breakdown - Score breakdown
- Unauthorized rejection (401)
- Forbidden access when userId β‰  JWT wallet (403)
- Full breakdown response
- Zero-loan scenarios
- Payment history timeline inclusion

**Authorization & Ownership Tests**:
- βœ… Wallet-param-matches-JWT enforcement on getScore
- βœ… Wallet-param-matches-JWT enforcement on getScoreBreakdown
- βœ… API key requirement for updateScore (not JWT)

**Credit Band Classification Tests**:
- βœ… 8 parameterized test cases covering all bands and boundaries

**Test Count**: 30+ tests covering unauthorized, forbidden, happy-path, and credit band scenarios

---

### 3. adminDisputeController.test.ts
**Location**: `src/__tests__/adminDisputeController.test.ts`
**Coverage**:
- βœ… GET /api/admin/disputes - List disputes
- Unauthorized rejection (401)
- Admin role enforcement (403 for non-admin)
- List disputes response
- Empty list handling
- Status filtering
- Invalid status rejection

- βœ… GET /api/admin/disputes/:disputeId - Get dispute
- Unauthorized rejection (401)
- Admin role enforcement (403)
- Dispute details retrieval
- 404 for nonexistent dispute

- βœ… POST /api/admin/disputes/:disputeId/resolve - Resolve dispute
- Unauthorized rejection (401)
- Admin role enforcement (403)
- Resolve with "confirm" action
- Resolve with "reverse" action
- Invalid action rejection
- Resolution reason validation (min 5 chars)
- Already-resolved dispute rejection (404)
- Event logging verification

- βœ… POST /api/admin/disputes/:disputeId/reject - Reject dispute
- Unauthorized rejection (401)
- Admin role enforcement (403)
- Reject with optional admin note
- Reject without note
- Already-processed dispute rejection (404)
- Status update to "rejected" verification

**Authorization Tests**:
- βœ… Admin role enforcement on all endpoints
- βœ… Non-admin user rejection (borrower role)

**Happy Path Scenarios**:
- βœ… Complete flow: open β†’ resolve (confirm)
- βœ… Complete flow: open β†’ resolve (reverse)
- βœ… Complete flow: open β†’ reject

**Test Count**: 28 tests covering unauthorized, forbidden, authorization, and happy-path cases

---

### 4. notificationController.test.ts
**Location**: `src/__tests__/notificationController.test.ts`
**Coverage**:
- βœ… GET /api/notifications - Get notifications
- Unauthorized rejection (401)
- Notifications for authenticated user
- Empty notification list
- Limit parameter handling
- Limit capping at 100
- Unread count inclusion

- βœ… POST /api/notifications/mark-read - Mark specific as read
- Unauthorized rejection (401)
- Mark multiple notifications
- Mark single notification
- Empty ids array rejection
- Non-numeric ids rejection
- Non-array ids rejection
- Missing ids rejection
- User ownership enforcement

- βœ… POST /api/notifications/mark-all-read - Mark all as read
- Unauthorized rejection (401)
- Mark all as read
- User ownership enforcement
- Empty unread list handling

- βœ… GET /api/notifications/stream - SSE stream
- Unauthorized rejection (401)
- SSE connection establishment
- Unread notifications on connect
- Correct SSE headers (text/event-stream, no-cache, keep-alive)
- User subscription verification
- Empty notification list handling

**Authorization & Ownership Tests**:
- βœ… User isolation on get notifications
- βœ… User isolation on mark-read
- βœ… User isolation on mark-all-read
- βœ… User isolation on stream

**Happy Path Scenarios**:
- βœ… Complete flow: get β†’ mark-read β†’ mark-all-read
- βœ… Stream with initial unread notifications

**Test Count**: 28+ tests covering unauthorized, happy-path, and user isolation cases

---

### 5. authController.test.ts
**Location**: `src/__tests__/authController.test.ts`
**Coverage**:
- βœ… POST /api/auth/challenge - Request challenge
- Valid public key generates challenge
- Challenge includes message, nonce, timestamp
- Missing publicKey rejection
- Invalid public key format rejection
- Non-string publicKey rejection
- Empty publicKey rejection
- Unique nonces on multiple requests
- Expiration in milliseconds (5 minutes)

- βœ… POST /api/auth/login - Exchange signature for JWT
- Missing publicKey rejection
- Missing message rejection
- Missing signature rejection
- Invalid challenge message format rejection
- Expired challenge rejection (5+ min old)
- Invalid signature rejection
- Wrong signature length rejection
- Successful login with valid signature
- JWT token generation and format (3 parts)
- Secure cookie with HttpOnly/Max-Age
- Signature from different keypair rejection
- Signature with altered message rejection
- Invalid public key format rejection

**Authorization Tests**:
- βœ… Challenge endpoint accessible without auth (public)
- βœ… Login endpoint accessible without auth (public)

**Happy Path Scenarios**:
- βœ… Complete flow: challenge β†’ login
- βœ… Rejection of stale messages (>5 min old)
- βœ… Multiple independent auth flows for different users

**Test Count**: 28+ tests covering validation, rejection, and happy-path cases

---

## Test Framework & Patterns

### Mocking Strategy
All tests follow the established pattern in the codebase:
- Jest unstable_mockModule for service/connection mocking
- Direct mock function types with jest.fn<T>()
- MockedFunction types for accurate type safety

### Authentication Testing
- βœ… JWT token generation with public keys
- βœ… Bearer header format testing
- βœ… Admin role verification with ADMIN_WALLETS env var
- βœ… API key header testing (x-api-key)

### Authorization Patterns
- βœ… Ownership checks (wallet address matching)
- βœ… Role-based access control (admin role)
- βœ… Scope requirements (read:score, write:remittances, etc.)
- βœ… Parameter-JWT matching (requireWalletParamMatchesJwt)

### Error Response Testing
- βœ… 401 Unauthorized
- βœ… 403 Forbidden
- βœ… 404 Not Found
- βœ… 400 Bad Request
- βœ… 201 Created (for resource creation)

---

## Acceptance Criteria Compliance

βœ… **Add supertest-based tests for remittance**
- Create/submit ownership and status checks: 7 tests
- Covers unauthorized, forbidden, happy-path cases

βœ… **Add tests for score endpoints**
- Wallet-param-matches-JWT enforcement: 6 tests
- Score update with API key: 8 tests
- Credit band classification: 8 parameterized tests
- Covers unauthorized, forbidden, happy-path cases

βœ… **Add tests for admin dispute**
- Resolve/reject authorization paths: 12 tests
- Resolve confirm/reverse actions: 6 tests
- List and get disputes: 6 tests
- Covers unauthorized, forbidden, happy-path cases

βœ… **Cover at least unauthorized, forbidden, happy-path per controller**
- Remittance: 20 tests βœ“
- Score: 30+ tests βœ“
- Admin Dispute: 28 tests βœ“
- Notification: 28+ tests βœ“
- Auth: 28+ tests βœ“

---

## Files Not Requiring Tests (Per Scope)

❌ **indexerController** - Out of scope for this issue
❌ **E2E browser tests** - Out of scope
❌ **Load testing** - Out of scope

---

## Total Test Statistics

| Controller | Tests | Unauthorized | Forbidden | Happy-Path |
|-----------|-------|--------------|-----------|------------|
| Remittance | 20 | βœ… | βœ… | βœ… |
| Score | 30+ | βœ… | βœ… | βœ… |
| Admin Dispute | 28 | βœ… | βœ… | βœ… |
| Notification | 28+ | βœ… | βœ… | βœ… |
| Auth | 28+ | βœ… | βœ… | βœ… |
| **TOTAL** | **134+** | βœ… | βœ… | βœ… |

---

## How to Run Tests

```bash
# Run all controller tests
npm test -- --testNamePattern="Controller" --maxWorkers=1

# Run specific controller tests
npm test -- --testNamePattern="remittanceController" --maxWorkers=1
npm test -- --testNamePattern="scoreController" --maxWorkers=1
npm test -- --testNamePattern="adminDisputeController" --maxWorkers=1
npm test -- --testNamePattern="notificationController" --maxWorkers=1
npm test -- --testNamePattern="authController" --maxWorkers=1

# Run all tests
npm test
```

---

## Implementation Notes

1. **Mocking**: All external services (database, cache, Soroban, notifications) are properly mocked to isolate controller logic
2. **Auth Simulation**: Real JWT tokens are generated using the production authService for authentic testing
3. **Ownership Verification**: Controllers correctly enforce wallet ownership and role-based access
4. **Status Transitions**: Tests verify proper state changes (pending β†’ processing β†’ completed/failed)
5. **Error Handling**: All error paths are tested with appropriate HTTP status codes
6. **Validation**: Input validation for all required fields is tested

---

## Notes for Code Review

- All tests follow the pattern established in loanEndpoints.test.ts
- Tests are isolated with beforeEach/afterAll cleanup
- Mock functions are reset between tests to prevent cross-test contamination
- Environment variables (JWT_SECRET, ADMIN_WALLETS, INTERNAL_API_KEY) are properly set and cleaned up
- Bearer token format follows RFC 6750 standard
- API key format follows x-api-key header convention
Loading