ghostguild-org/tests/server/api/auth-login.test.js

import { describe, it, expect, vi, beforeEach } from 'vitest'

vi.mock('../../../server/models/member.js', () => ({
  default: { findOne: vi.fn() }
}))

vi.mock('../../../server/utils/mongoose.js', () => ({
  connectDB: vi.fn()
}))

vi.mock('jsonwebtoken', () => ({
  default: { sign: vi.fn().mockReturnValue('mock-jwt-token') }
}))

vi.mock('resend', () => ({
  Resend: class MockResend {
    constructor() {
      this.emails = { send: vi.fn().mockResolvedValue({ id: 'email-123' }) }
    }
  }
}))

import Member from '../../../server/models/member.js'
import loginHandler from '../../../server/api/auth/login.post.js'
import { createMockEvent } from '../helpers/createMockEvent.js'

describe('auth login endpoint', () => {
  beforeEach(() => {
    vi.clearAllMocks()
  })

  it('returns generic success message for existing member', async () => {
    Member.findOne.mockResolvedValue({
      _id: 'member-123',
      email: 'exists@example.com'
    })

    const event = createMockEvent({
      method: 'POST',
      path: '/api/auth/login',
      body: { email: 'exists@example.com' },
      headers: { host: 'localhost:3000' }
    })

    const result = await loginHandler(event)

    expect(result).toEqual({
      success: true,
      message: "If this email is registered, we've sent a login link."
    })
  })

  it('returns identical response for non-existing member (anti-enumeration)', async () => {
    Member.findOne.mockResolvedValue(null)

    const event = createMockEvent({
      method: 'POST',
      path: '/api/auth/login',
      body: { email: 'nonexistent@example.com' },
      headers: { host: 'localhost:3000' }
    })

    const result = await loginHandler(event)

    expect(result).toEqual({
      success: true,
      message: "If this email is registered, we've sent a login link."
    })
  })

  it('both existing and non-existing produce same shape and message', async () => {
    // Existing member
    Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'a@b.com' })
    const event1 = createMockEvent({
      method: 'POST',
      path: '/api/auth/login',
      body: { email: 'a@b.com' },
      headers: { host: 'localhost:3000' }
    })
    const result1 = await loginHandler(event1)

    vi.clearAllMocks()

    // Non-existing member
    Member.findOne.mockResolvedValue(null)
    const event2 = createMockEvent({
      method: 'POST',
      path: '/api/auth/login',
      body: { email: 'nobody@example.com' },
      headers: { host: 'localhost:3000' }
    })
    const result2 = await loginHandler(event2)

    // Response shape and message must be identical
    expect(Object.keys(result1).sort()).toEqual(Object.keys(result2).sort())
    expect(result1.success).toBe(result2.success)
    expect(result1.message).toBe(result2.message)
  })

  it('throws 400 when email is missing from body', async () => {
    const event = createMockEvent({
      method: 'POST',
      path: '/api/auth/login',
      body: {},
      headers: { host: 'localhost:3000' }
    })

    await expect(loginHandler(event)).rejects.toMatchObject({
      statusCode: 400,
      statusMessage: 'Email is required'
    })
  })
})