4.9 KiB
Test Fixes Summary
Date: 2025-11-10
Status: ✅ Completed
Result: All 142 tests passing
Issues Found and Fixed
1. Middleware Tests Bypassing Authentication (12 test failures)
Problem:
The middleware tests were creating a MiddlewareManager with NODE_ENV=test, which caused all authentication middlewares to bypass their checks. This resulted in tests expecting 401 responses getting 200 instead.
Root Cause:
const authMiddleware = createMiddleware(async (c, next) => {
if (config.NODE_ENV === "test") {
c.set("user", config.TEST_USER_DATA);
await next();
return; // ← Bypassing all auth checks!
}
// ... actual auth logic
});
Solution:
Modified the middleware tests to use NODE_ENV=development instead of test:
// Before
const config = createConfig();
MiddlewareManager.initialize(config);
// After
const config = { ...createConfig(), NODE_ENV: "development" as const };
MiddlewareManager.initialize(config);
Tests Fixed:
- ✅ Auth middleware rejection tests (4 tests)
- ✅ Basic auth middleware tests (4 tests)
- ✅ Maybe authenticated middleware tests (2 tests)
- ✅ Regular user check test (1 test)
- ✅ Middleware chain test (1 test)
2. Auth Helper Runtime Type Safety (2 test failures)
Problem:
The validateAuthHeader function assumed the input would always be a string, but the edge case tests were passing numbers and objects coerced with as any. This caused authHeader.startsWith is not a function errors.
Root Cause:
export function validateAuthHeader(authHeader: string | undefined) {
if (!authHeader) { ... }
if (!authHeader.startsWith("Bearer ")) { ... } // ← Crashes if not a string!
}
Solution: Added runtime type checking before using string methods:
export function validateAuthHeader(authHeader: string | undefined) {
// Handle non-string inputs (runtime type safety)
if (typeof authHeader !== "string" || !authHeader) {
return {
success: false,
error: "Missing or invalid authorization header",
statusCode: 401,
};
}
if (!authHeader.startsWith("Bearer ")) { ... } // ← Safe now!
}
Tests Fixed:
- ✅ Edge case: number coerced to string
- ✅ Edge case: object coerced to string
Test Results
Before Fixes
ℹ tests 142
ℹ pass 128
ℹ fail 14
After Fixes
ℹ tests 142
ℹ pass 142
ℹ fail 0
100% pass rate! ✅
Files Modified
-
apps/api/src/__tests__/middlewares/middlewares.test.ts- Changed config to use
NODE_ENV=development - Ensures middlewares run their actual auth logic in tests
- Changed config to use
-
apps/api/src/helpers/auth.ts- Added
typeof authHeader !== "string"check - Provides runtime type safety for edge cases
- Added
Verification
TypeScript Compilation
> tsc --noEmit
✅ No errors
Linting
> biome check .
✅ Checked 37 files in 25ms. No fixes applied.
Tests
> turbo test --filter=@xtablo/api
✅ Tasks: 1 successful, 1 total
✅ Cached: 1 cached, 1 total
✅ Time: 246ms >>> FULL TURBO
Impact
Zero Breaking Changes
- All middleware behavior unchanged in production
- Test mode still works for integration tests
- Auth helper maintains same API
Improved Test Coverage
- Middleware tests now actually test authentication
- Edge cases properly handled at runtime
- More realistic test scenarios
Better Code Quality
- Runtime type safety in auth helper
- Clear separation of test vs production config
- Comprehensive validation coverage
Lessons Learned
1. Test Mode Bypasses Can Hide Issues
When testing middlewares, ensure test mode doesn't bypass the logic you're trying to test. Use production-like config for unit tests.
2. Runtime Type Safety Matters
Even with TypeScript, runtime type checks are important for:
- Edge cases with
as anycasts - External inputs (HTTP headers)
- Third-party library interactions
3. Discriminated Unions Are Powerful
The auth helper's return types make it impossible to access properties incorrectly:
const result = validateAuthHeader(header);
if (result.success) {
// TypeScript knows result.token exists
} else {
// TypeScript knows result.error exists
}
Related Documentation
- Auth Helper Refactor - Helper extraction
- Middleware Tests - Test suite overview
- Test Router Refactor - Test structure
Conclusion
All 142 tests are now passing with proper authentication logic being tested. The fixes maintain backwards compatibility while improving test coverage and runtime safety.
Key Achievements:
✅ Fixed 14 failing tests
✅ Improved middleware test accuracy
✅ Added runtime type safety
✅ Maintained backwards compatibility
✅ Zero breaking changes
✅ 100% test pass rate