Add Vitest security test suite and update security evaluation doc

Set up Vitest with server (node) and client (jsdom) test projects. 79 tests across 8 files verify all Phase 0-1 security controls: escapeHtml sanitization, DOMPurify markdown XSS prevention, CSRF enforcement, security headers, rate limiting, auth guards, profile field allowlist, and login anti-enumeration. Updated SECURITY_EVALUATION.md with remediation status, implementation summary, and automated test coverage details.
2026-03-01 12:30:06 +00:00 · 2026-03-01 12:30:06 +00:00 · 29c96a207e
commit 29c96a207e
parent d5c95ace0a
14 changed files with 2454 additions and 3 deletions
--- a/tests/server/api/auth-login.test.js
+++ b/tests/server/api/auth-login.test.js
@ -0,0 +1,113 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('../../../server/models/member.js', () => ({
+  default: { findOne: vi.fn() }
+}))
+
+vi.mock('../../../server/utils/mongoose.js', () => ({
+  connectDB: vi.fn()
+}))
+
+vi.mock('jsonwebtoken', () => ({
+  default: { sign: vi.fn().mockReturnValue('mock-jwt-token') }
+}))
+
+vi.mock('resend', () => ({
+  Resend: class MockResend {
+    constructor() {
+      this.emails = { send: vi.fn().mockResolvedValue({ id: 'email-123' }) }
+    }
+  }
+}))
+
+import Member from '../../../server/models/member.js'
+import loginHandler from '../../../server/api/auth/login.post.js'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+describe('auth login endpoint', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('returns generic success message for existing member', async () => {
+    Member.findOne.mockResolvedValue({
+      _id: 'member-123',
+      email: 'exists@example.com'
+    })
+
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'exists@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+
+    const result = await loginHandler(event)
+
+    expect(result).toEqual({
+      success: true,
+      message: "If this email is registered, we've sent a login link."
+    })
+  })
+
+  it('returns identical response for non-existing member (anti-enumeration)', async () => {
+    Member.findOne.mockResolvedValue(null)
+
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'nonexistent@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+
+    const result = await loginHandler(event)
+
+    expect(result).toEqual({
+      success: true,
+      message: "If this email is registered, we've sent a login link."
+    })
+  })
+
+  it('both existing and non-existing produce same shape and message', async () => {
+    // Existing member
+    Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'a@b.com' })
+    const event1 = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'a@b.com' },
+      headers: { host: 'localhost:3000' }
+    })
+    const result1 = await loginHandler(event1)
+
+    vi.clearAllMocks()
+
+    // Non-existing member
+    Member.findOne.mockResolvedValue(null)
+    const event2 = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'nobody@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+    const result2 = await loginHandler(event2)
+
+    // Response shape and message must be identical
+    expect(Object.keys(result1).sort()).toEqual(Object.keys(result2).sort())
+    expect(result1.success).toBe(result2.success)
+    expect(result1.message).toBe(result2.message)
+  })
+
+  it('throws 400 when email is missing from body', async () => {
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: {},
+      headers: { host: 'localhost:3000' }
+    })
+
+    await expect(loginHandler(event)).rejects.toMatchObject({
+      statusCode: 400,
+      statusMessage: 'Email is required'
+    })
+  })
+})
--- a/tests/server/api/members-profile-patch.test.js
+++ b/tests/server/api/members-profile-patch.test.js
@ -0,0 +1,157 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('../../../server/utils/auth.js', () => ({
+  requireAuth: vi.fn()
+}))
+
+vi.mock('../../../server/models/member.js', () => ({
+  default: { findByIdAndUpdate: vi.fn() }
+}))
+
+import { requireAuth } from '../../../server/utils/auth.js'
+import Member from '../../../server/models/member.js'
+import profilePatchHandler from '../../../server/api/members/profile.patch.js'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+describe('members profile PATCH endpoint', () => {
+  const mockMember = {
+    _id: 'member-123',
+    email: 'test@example.com',
+    name: 'Test User',
+    circle: 'community',
+    contributionTier: 5,
+    pronouns: 'they/them',
+    timeZone: 'America/New_York',
+    avatar: 'https://example.com/avatar.jpg',
+    studio: 'Test Studio',
+    bio: 'Updated bio',
+    location: 'NYC',
+    socialLinks: { twitter: '@test' },
+    offering: { text: 'help', tags: ['code'] },
+    lookingFor: { text: 'feedback', tags: ['design'] },
+    showInDirectory: true
+  }
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+    requireAuth.mockResolvedValue({ _id: 'member-123' })
+    Member.findByIdAndUpdate.mockResolvedValue(mockMember)
+  })
+
+  describe('field allowlist - forbidden fields are rejected', () => {
+    it('does not pass helcimCustomerId to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', helcimCustomerId: 'hacked-id' }
+      })
+
+      await profilePatchHandler(event)
+
+      const updateCall = Member.findByIdAndUpdate.mock.calls[0]
+      const setData = updateCall[1].$set
+      expect(setData).not.toHaveProperty('helcimCustomerId')
+      expect(setData).toHaveProperty('bio', 'new bio')
+    })
+
+    it('does not pass role to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', role: 'admin' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('role')
+    })
+
+    it('does not pass status to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', status: 'active' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('status')
+    })
+
+    it('does not pass email to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', email: 'hacked@evil.com' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('email')
+    })
+
+    it('does not pass _id to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', _id: 'different-id' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('_id')
+    })
+  })
+
+  describe('field allowlist - allowed fields pass through', () => {
+    it('passes allowed profile fields through', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: {
+          pronouns: 'they/them',
+          bio: 'Updated bio',
+          studio: 'Test Studio',
+          location: 'NYC',
+          timeZone: 'America/New_York',
+          avatar: 'https://example.com/avatar.jpg',
+          showInDirectory: true,
+          socialLinks: { twitter: '@test' }
+        }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).toHaveProperty('pronouns', 'they/them')
+      expect(setData).toHaveProperty('bio', 'Updated bio')
+      expect(setData).toHaveProperty('studio', 'Test Studio')
+      expect(setData).toHaveProperty('location', 'NYC')
+      expect(setData).toHaveProperty('timeZone', 'America/New_York')
+      expect(setData).toHaveProperty('avatar', 'https://example.com/avatar.jpg')
+      expect(setData).toHaveProperty('showInDirectory', true)
+      expect(setData).toHaveProperty('socialLinks')
+    })
+
+    it('passes offering and lookingFor nested objects through', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: {
+          offering: { text: 'mentoring', tags: ['code', 'design'] },
+          lookingFor: { text: 'feedback', tags: ['art'] }
+        }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData.offering).toEqual({ text: 'mentoring', tags: ['code', 'design'] })
+      expect(setData.lookingFor).toEqual({ text: 'feedback', tags: ['art'] })
+    })
+  })
+})