Skip to content

Feat/server tests#7

Closed
michaelhthomas wants to merge 12 commits into
developfrom
feat/server-tests
Closed

Feat/server tests#7
michaelhthomas wants to merge 12 commits into
developfrom
feat/server-tests

Conversation

@michaelhthomas
Copy link
Copy Markdown
Owner

@michaelhthomas michaelhthomas commented Feb 18, 2026

Description

  • Fixes #XXXX

How Has This Been Tested?

Screenshots / Logs (if applicable)

Checklist:

  • I have read and followed the contribution guidelines.
  • Disclosed any use of AI (see our policy)
  • I have updated the documentation accordingly.
  • All new and existing tests passed.
  • Successful build pnpm build
  • Translation keys pnpm i18n:extract
  • Database migration (if required)

github-advanced-security[bot]
github-advanced-security AI found potential problems Feb 18, 2026
View reviewed changes
Comment thread server/routes/auth.test.ts
Comment on lines +28 to +32
session({
secret: 'test-secret',
resave: false,
saveUninitialized: false,
})

Check warning

Code scanning / CodeQL

Clear text transmission of sensitive cookie Medium

Sensitive cookie sent without enforcing SSL encryption.

Copilot Autofix

AI 3 months ago

In general, to fix this class of issues with express-session, you should explicitly configure the cookie option to ensure that sensitive cookies are marked as secure (sent only over HTTPS) and httpOnly (inaccessible to client-side scripts). Relying on defaults (secure: 'auto') can be brittle, especially behind proxies or in nonstandard environments.

For this specific file, the best fix is to modify the session({...}) call inside createApp to include an explicit cookie configuration, e.g. cookie: { secure: true, httpOnly: true }. This makes the intent clear and ensures that, in any environment where HTTPS is available, the cookie is not sent over cleartext. Since this is test code and we are not allowed to change other parts of the project, we should avoid adding environment-dependent logic here and just configure the cookie securely. The change is localized to server/routes/auth.test.ts, lines 28–32, and does not alter any test behavior beyond tightening cookie flags on the created session cookie; Supertest-based tests that only inspect HTTP responses will continue to work.

Concretely:

  • Edit the session options object in createApp to add a cookie property with secure: true and httpOnly: true.
  • No new imports are needed because cookie is just a plain object property on the express-session options.
  • No other files or lines need to be updated.
Suggested changeset 1
server/routes/auth.test.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/server/routes/auth.test.ts b/server/routes/auth.test.ts
--- a/server/routes/auth.test.ts
+++ b/server/routes/auth.test.ts
@@ -29,6 +29,10 @@
       secret: 'test-secret',
       resave: false,
       saveUninitialized: false,
+      cookie: {
+        secure: true,
+        httpOnly: true,
+      },
     })
   );
   app.use(checkUser);
EOF
@@ -29,6 +29,10 @@
secret: 'test-secret',
resave: false,
saveUninitialized: false,
cookie: {
secure: true,
httpOnly: true,
},
})
);
app.use(checkUser);
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security AI found potential problems Feb 18, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml Fixed
@michaelhthomas michaelhthomas force-pushed the feat/server-tests branch 2 times, most recently from 5d835b7 to 5ff31a2 Compare February 18, 2026 20:17
@michaelhthomas michaelhthomas force-pushed the feat/server-tests branch 3 times, most recently from f9cbd97 to 7ecb018 Compare February 18, 2026 20:48
@michaelhthomas
build: add infrastructure for server-side testing
a795c21
@michaelhthomas
test: support in-memory database for server tests
1bf0166
@michaelhthomas
fix(auth): await calls to userRepository.save
9e27c36
@michaelhthomas
fix(user): filter password hash from responses
fba4dff
@michaelhthomas
fix(user): convert recoveryLinkExpirationDate from 'date' to 'datetime'
868104d 
TypeORM represents the 'date' column type (date only) as a string, not a JS date object. This was
causing  the reset password expiration check to never activate, since it compares the date (which is
a string) with new Date(), which is always truthy.
@michaelhthomas
test(auth): add test coverage for local auth endpoints
eed3103
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@michaelhthomas @github-advanced-security @DataBitz @M0NsTeRRR @fallenbagel @mreid-tt