radziel/spotlightcam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add JWT authentication with complete test coverage

Browse Source 
Phase 1 - Step 3: Authentication API

**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)

**API Endpoints:**
- POST /api/auth/register - User registration
  - Username validation (3-50 chars, alphanumeric + underscore)
  - Email validation and normalization
  - Password validation (min 6 chars)
  - Duplicate email/username detection
  - Auto-generated avatar (ui-avatars.com)

- POST /api/auth/login - User authentication
  - Email + password credentials
  - Returns JWT token + user data
  - Invalid credentials protection

- GET /api/users/me - Get current user (protected)
  - Requires valid JWT token
  - Returns user data + stats (matches, ratings)
  - Token validation via middleware

**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)

**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens

**Unit Tests (30 tests, 78.26% coverage):**

Auth Endpoints (14 tests):
-  Register: success, duplicate email, duplicate username
-  Register validation: invalid email, short password, short username
-  Login: success, wrong password, non-existent user, invalid format
-  Protected route: valid token, no token, invalid token, malformed header

Auth Utils (9 tests):
-  Password hashing and comparison
-  Different hashes for same password
-  JWT generation and verification
-  Token expiration validation
-  Invalid token handling

All tests passing 
Coverage: 78.26%
This commit is contained in:
Radosław Gierwiało
2025-11-12 22:16:14 +01:00
parent 0e62b12f5e
commit 3788274f73
14 changed files with 997 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

244
backend/src/__tests__/auth.test.js Normal file
View File

@@ -0,0 +1,244 @@
const request = require('supertest');
const app = require('../app');
const { prisma } = require('../utils/db');
const { hashPassword, generateToken } = require('../utils/auth');
// Clean up database before and after tests
beforeAll(async () => {
await prisma.user.deleteMany({});
});
afterAll(async () => {
await prisma.user.deleteMany({});
await prisma.$disconnect();
});
describe('Authentication API Tests', () => {
describe('POST /api/auth/register', () => {
it('should register a new user successfully', async () => {
const response = await request(app)
.post('/api/auth/register')
.send({
username: 'testuser',
email: 'test@example.com',
password: 'password123',
})
.expect('Content-Type', /json/)
.expect(201);
expect(response.body).toHaveProperty('success', true);
expect(response.body).toHaveProperty('message', 'User registered successfully');
expect(response.body.data).toHaveProperty('user');
expect(response.body.data).toHaveProperty('token');
expect(response.body.data.user).toHaveProperty('id');
expect(response.body.data.user).toHaveProperty('username', 'testuser');
expect(response.body.data.user).toHaveProperty('email', 'test@example.com');
expect(response.body.data.user).toHaveProperty('avatar');
expect(response.body.data.user).not.toHaveProperty('passwordHash');
});
it('should reject registration with duplicate email', async () => {
const response = await request(app)
.post('/api/auth/register')
.send({
username: 'anotheruser',
email: 'test@example.com', // Same email as above
password: 'password123',
})
.expect('Content-Type', /json/)
.expect(400);
expect(response.body).toHaveProperty('success', false);
expect(response.body).toHaveProperty('error', 'Email already registered');
});
it('should reject registration with duplicate username', async () => {
const response = await request(app)
.post('/api/auth/register')
.send({
username: 'testuser', // Same username as above
email: 'another@example.com',
password: 'password123',
})
.expect('Content-Type', /json/)
.expect(400);
expect(response.body).toHaveProperty('success', false);
expect(response.body).toHaveProperty('error', 'Username already taken');
});
it('should reject registration with invalid email', async () => {
const response = await request(app)
.post('/api/auth/register')
.send({
username: 'newuser',
email: 'invalid-email',
password: 'password123',
})
.expect('Content-Type', /json/)
.expect(400);
expect(response.body).toHaveProperty('success', false);
expect(response.body).toHaveProperty('error', 'Validation Error');
});
it('should reject registration with short password', async () => {
const response = await request(app)
.post('/api/auth/register')
.send({
username: 'newuser',
email: 'new@example.com',
password: '12345', // Too short
})
.expect('Content-Type', /json/)
.expect(400);
expect(response.body).toHaveProperty('success', false);
expect(response.body).toHaveProperty('error', 'Validation Error');
});
it('should reject registration with invalid username', async () => {
const response = await request(app)
.post('/api/auth/register')
.send({
username: 'ab', // Too short
email: 'new@example.com',
password: 'password123',
})
.expect('Content-Type', /json/)
.expect(400);
expect(response.body).toHaveProperty('success', false);
expect(response.body).toHaveProperty('error', 'Validation Error');
});
});
describe('POST /api/auth/login', () => {
it('should login successfully with correct credentials', async () => {
const response = await request(app)
.post('/api/auth/login')
.send({
email: 'test@example.com',
password: 'password123',
})
.expect('Content-Type', /json/)
.expect(200);
expect(response.body).toHaveProperty('success', true);
expect(response.body).toHaveProperty('message', 'Login successful');
expect(response.body.data).toHaveProperty('user');
expect(response.body.data).toHaveProperty('token');
expect(response.body.data.user).toHaveProperty('email', 'test@example.com');
expect(response.body.data.user).not.toHaveProperty('passwordHash');
});
it('should reject login with incorrect password', async () => {
const response = await request(app)
.post('/api/auth/login')
.send({
email: 'test@example.com',
password: 'wrongpassword',
})
.expect('Content-Type', /json/)
.expect(401);
expect(response.body).toHaveProperty('success', false);
expect(response.body).toHaveProperty('error', 'Invalid credentials');
});
it('should reject login with non-existent email', async () => {
const response = await request(app)
.post('/api/auth/login')
.send({
email: 'nonexistent@example.com',
password: 'password123',
})
.expect('Content-Type', /json/)
.expect(401);
expect(response.body).toHaveProperty('success', false);
expect(response.body).toHaveProperty('error', 'Invalid credentials');
});
it('should reject login with invalid email format', async () => {
const response = await request(app)
.post('/api/auth/login')
.send({
email: 'invalid-email',
password: 'password123',
})
.expect('Content-Type', /json/)
.expect(400);
expect(response.body).toHaveProperty('success', false);
expect(response.body).toHaveProperty('error', 'Validation Error');
});
});
describe('GET /api/users/me', () => {
let authToken;
beforeAll(async () => {
// Create a user and get token
const response = await request(app)
.post('/api/auth/login')
.send({
email: 'test@example.com',
password: 'password123',
});
authToken = response.body.data.token;
});
it('should return current user with valid token', async () => {
const response = await request(app)
.get('/api/users/me')
.set('Authorization', `Bearer ${authToken}`)
.expect('Content-Type', /json/)
.expect(200);
expect(response.body).toHaveProperty('success', true);
expect(response.body.data).toHaveProperty('id');
expect(response.body.data).toHaveProperty('username', 'testuser');
expect(response.body.data).toHaveProperty('email', 'test@example.com');
expect(response.body.data).toHaveProperty('stats');
expect(response.body.data.stats).toHaveProperty('matchesCount');
expect(response.body.data.stats).toHaveProperty('ratingsCount');
expect(response.body.data.stats).toHaveProperty('rating');
expect(response.body.data).not.toHaveProperty('passwordHash');
});
it('should reject request without token', async () => {
const response = await request(app)
.get('/api/users/me')
.expect('Content-Type', /json/)
.expect(401);
expect(response.body).toHaveProperty('success', false);
expect(response.body).toHaveProperty('error', 'Unauthorized');
expect(response.body).toHaveProperty('message', 'No token provided');
});
it('should reject request with invalid token', async () => {
const response = await request(app)
.get('/api/users/me')
.set('Authorization', 'Bearer invalid-token')
.expect('Content-Type', /json/)
.expect(401);
expect(response.body).toHaveProperty('success', false);
expect(response.body).toHaveProperty('error', 'Unauthorized');
expect(response.body).toHaveProperty('message', 'Invalid or expired token');
});
it('should reject request with malformed Authorization header', async () => {
const response = await request(app)
.get('/api/users/me')
.set('Authorization', authToken) // Missing 'Bearer ' prefix
.expect('Content-Type', /json/)
.expect(401);
expect(response.body).toHaveProperty('success', false);
expect(response.body).toHaveProperty('error', 'Unauthorized');
});
});
});

99
backend/src/__tests__/utils/auth.test.js Normal file
View File

@@ -0,0 +1,99 @@
const { hashPassword, comparePassword, generateToken, verifyToken } = require('../../utils/auth');
// Set up test environment variables
beforeAll(() => {
process.env.JWT_SECRET = 'test-secret-key';
process.env.JWT_EXPIRES_IN = '24h';
});
describe('Auth Utils Tests', () => {
describe('hashPassword and comparePassword', () => {
it('should hash password successfully', async () => {
const password = 'mySecretPassword123';
const hash = await hashPassword(password);
expect(hash).toBeDefined();
expect(hash).not.toBe(password);
expect(hash.length).toBeGreaterThan(0);
});
it('should compare password with hash successfully', async () => {
const password = 'mySecretPassword123';
const hash = await hashPassword(password);
const isValid = await comparePassword(password, hash);
expect(isValid).toBe(true);
});
it('should reject incorrect password', async () => {
const password = 'mySecretPassword123';
const wrongPassword = 'wrongPassword';
const hash = await hashPassword(password);
const isValid = await comparePassword(wrongPassword, hash);
expect(isValid).toBe(false);
});
it('should generate different hashes for same password', async () => {
const password = 'mySecretPassword123';
const hash1 = await hashPassword(password);
const hash2 = await hashPassword(password);
expect(hash1).not.toBe(hash2);
// But both should be valid
expect(await comparePassword(password, hash1)).toBe(true);
expect(await comparePassword(password, hash2)).toBe(true);
});
});
describe('generateToken and verifyToken', () => {
it('should generate a valid JWT token', () => {
const payload = { userId: 123 };
const token = generateToken(payload);
expect(token).toBeDefined();
expect(typeof token).toBe('string');
expect(token.split('.')).toHaveLength(3); // JWT has 3 parts
});
it('should verify a valid token', () => {
const payload = { userId: 123, email: 'test@example.com' };
const token = generateToken(payload);
const decoded = verifyToken(token);
expect(decoded).toBeDefined();
expect(decoded).toHaveProperty('userId', 123);
expect(decoded).toHaveProperty('email', 'test@example.com');
expect(decoded).toHaveProperty('iat'); // Issued at
expect(decoded).toHaveProperty('exp'); // Expiration
});
it('should reject invalid token', () => {
const invalidToken = 'invalid.token.here';
const decoded = verifyToken(invalidToken);
expect(decoded).toBeNull();
});
it('should reject malformed token', () => {
const malformedToken = 'notavalidtoken';
const decoded = verifyToken(malformedToken);
expect(decoded).toBeNull();
});
it('should include expiration time in token', () => {
const payload = { userId: 123 };
const token = generateToken(payload);
const decoded = verifyToken(token);
expect(decoded).toHaveProperty('exp');
expect(decoded.exp).toBeGreaterThan(decoded.iat);
// Should expire in approximately 24 hours (allowing 1 minute tolerance)
const expectedExpiration = decoded.iat + (24 * 60 * 60);
expect(Math.abs(decoded.exp - expectedExpiration)).toBeLessThan(60);
});
});
});

4
backend/src/app.js
View File

@@ -28,9 +28,9 @@ app.get('/api/health', (req, res) => {
});
// API routes
app.use('/api/auth', require('./routes/auth'));
app.use('/api/users', require('./routes/users'));
app.use('/api/events', require('./routes/events'));
// app.use('/api/auth', require('./routes/auth'));
// app.use('/api/users', require('./routes/users'));
// app.use('/api/matches', require('./routes/matches'));
// app.use('/api/ratings', require('./routes/ratings'));

117
backend/src/controllers/auth.js Normal file
View File

@@ -0,0 +1,117 @@
const { prisma } = require('../utils/db');
const { hashPassword, comparePassword, generateToken } = require('../utils/auth');
// Register new user
async function register(req, res, next) {
try {
const { username, email, password } = req.body;
// Check if user already exists
const existingUser = await prisma.user.findFirst({
where: {
OR: [
{ email },
{ username },
],
},
});
if (existingUser) {
if (existingUser.email === email) {
return res.status(400).json({
success: false,
error: 'Email already registered',
});
}
return res.status(400).json({
success: false,
error: 'Username already taken',
});
}
// Hash password
const passwordHash = await hashPassword(password);
// Create user
const user = await prisma.user.create({
data: {
username,
email,
passwordHash,
avatar: `https://ui-avatars.com/api/?name=${encodeURIComponent(username)}&background=6366f1&color=fff`,
},
select: {
id: true,
username: true,
email: true,
avatar: true,
createdAt: true,
},
});
// Generate token
const token = generateToken({ userId: user.id });
res.status(201).json({
success: true,
message: 'User registered successfully',
data: {
user,
token,
},
});
} catch (error) {
next(error);
}
}
// Login user
async function login(req, res, next) {
try {
const { email, password } = req.body;
// Find user by email
const user = await prisma.user.findUnique({
where: { email },
});
if (!user) {
return res.status(401).json({
success: false,
error: 'Invalid credentials',
});
}
// Compare password
const isPasswordValid = await comparePassword(password, user.passwordHash);
if (!isPasswordValid) {
return res.status(401).json({
success: false,
error: 'Invalid credentials',
});
}
// Generate token
const token = generateToken({ userId: user.id });
// Return user without password
const { passwordHash, ...userWithoutPassword } = user;
res.json({
success: true,
message: 'Login successful',
data: {
user: userWithoutPassword,
token,
},
});
} catch (error) {
next(error);
}
}
module.exports = {
register,
login,
};

64
backend/src/middleware/auth.js Normal file
View File

@@ -0,0 +1,64 @@
const { verifyToken } = require('../utils/auth');
const { prisma } = require('../utils/db');
// Authentication middleware
async function authenticate(req, res, next) {
try {
// Get token from header
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Bearer ')) {
return res.status(401).json({
success: false,
error: 'Unauthorized',
message: 'No token provided',
});
}
const token = authHeader.substring(7); // Remove 'Bearer ' prefix
// Verify token
const decoded = verifyToken(token);
if (!decoded) {
return res.status(401).json({
success: false,
error: 'Unauthorized',
message: 'Invalid or expired token',
});
}
// Get user from database
const user = await prisma.user.findUnique({
where: { id: decoded.userId },
select: {
id: true,
username: true,
email: true,
avatar: true,
createdAt: true,
updatedAt: true,
},
});
if (!user) {
return res.status(401).json({
success: false,
error: 'Unauthorized',
message: 'User not found',
});
}
// Attach user to request
req.user = user;
next();
} catch (error) {
console.error('Auth middleware error:', error);
res.status(500).json({
success: false,
error: 'Internal Server Error',
});
}
}
module.exports = { authenticate };

52
backend/src/middleware/validators.js Normal file
View File

@@ -0,0 +1,52 @@
const { body, validationResult } = require('express-validator');
// Validation error handler
function handleValidationErrors(req, res, next) {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({
success: false,
error: 'Validation Error',
details: errors.array(),
});
}
next();
}
// Register validation rules
const registerValidation = [
body('username')
.trim()
.isLength({ min: 3, max: 50 })
.withMessage('Username must be between 3 and 50 characters')
.matches(/^[a-zA-Z0-9_]+$/)
.withMessage('Username can only contain letters, numbers, and underscores'),
body('email')
.trim()
.isEmail()
.withMessage('Must be a valid email address')
.normalizeEmail(),
body('password')
.isLength({ min: 6 })
.withMessage('Password must be at least 6 characters long'),
handleValidationErrors,
];
// Login validation rules
const loginValidation = [
body('email')
.trim()
.isEmail()
.withMessage('Must be a valid email address')
.normalizeEmail(),
body('password')
.notEmpty()
.withMessage('Password is required'),
handleValidationErrors,
];
module.exports = {
registerValidation,
loginValidation,
handleValidationErrors,
};

13
backend/src/routes/auth.js Normal file
View File

@@ -0,0 +1,13 @@
const express = require('express');
const { register, login } = require('../controllers/auth');
const { registerValidation, loginValidation } = require('../middleware/validators');
const router = express.Router();
// POST /api/auth/register - Register new user
router.post('/register', registerValidation, register);
// POST /api/auth/login - Login user
router.post('/login', loginValidation, login);
module.exports = router;

66
backend/src/routes/users.js Normal file
View File

@@ -0,0 +1,66 @@
const express = require('express');
const { authenticate } = require('../middleware/auth');
const { prisma } = require('../utils/db');
const router = express.Router();
// GET /api/users/me - Get current authenticated user
router.get('/me', authenticate, async (req, res, next) => {
try {
// req.user is set by authenticate middleware
const user = await prisma.user.findUnique({
where: { id: req.user.id },
select: {
id: true,
username: true,
email: true,
avatar: true,
createdAt: true,
updatedAt: true,
_count: {
select: {
matchesAsUser1: true,
matchesAsUser2: true,
ratingsReceived: true,
},
},
},
});
if (!user) {
return res.status(404).json({
success: false,
error: 'User not found',
});
}
// Calculate total matches
const totalMatches = user._count.matchesAsUser1 + user._count.matchesAsUser2;
// Calculate average rating
const ratings = await prisma.rating.findMany({
where: { ratedId: user.id },
select: { score: true },
});
const averageRating = ratings.length > 0
? ratings.reduce((sum, r) => sum + r.score, 0) / ratings.length
: 0;
res.json({
success: true,
data: {
...user,
stats: {
matchesCount: totalMatches,
ratingsCount: user._count.ratingsReceived,
rating: averageRating.toFixed(1),
},
},
});
} catch (error) {
next(error);
}
});
module.exports = router;

36
backend/src/utils/auth.js Normal file
View File

@@ -0,0 +1,36 @@
const bcrypt = require('bcryptjs');
const jwt = require('jsonwebtoken');
// Hash password with bcrypt
async function hashPassword(password) {
const salt = await bcrypt.genSalt(10);
return bcrypt.hash(password, salt);
}
// Compare password with hash
async function comparePassword(password, hash) {
return bcrypt.compare(password, hash);
}
// Generate JWT token
function generateToken(payload) {
return jwt.sign(payload, process.env.JWT_SECRET, {
expiresIn: process.env.JWT_EXPIRES_IN || '24h',
});
}
// Verify JWT token
function verifyToken(token) {
try {
return jwt.verify(token, process.env.JWT_SECRET);
} catch (error) {
return null;
}
}
module.exports = {
hashPassword,
comparePassword,
generateToken,
verifyToken,
};