feature: add new authentication edge case coverage

[JayRathore10]

🚀 Feature: Add new test coverage for auth route validation and security edge cases

Closes #512

GSSoC'26 Details

GSSoC Profile: https://gssoc.girlscript.org/profile/e47b2f4a-f3e9-4cb4-97b5-ddd8cb15a1e9

Description

This PR enhances the authentication route test suite by adding coverage for validation and edge-case scenarios that were previously untested.

The existing test suite already verifies the core authentication workflow, including:

• User signup
• Duplicate email validation
• Duplicate username validation
• Successful login
• Failed login with incorrect password
• Logout functionality

This contribution extends coverage to ensure the authentication system handles invalid inputs and edge cases correctly.

Added Test Cases

Signup Validation

• Reject signup when email is missing
• Reject signup when username is missing
• Reject signup when password is missing
• Reject empty request body

Login Validation

• Reject login for non-existent users
• Reject login when email is missing
• Reject login when password is missing
• Reject empty login request body

Session Handling

• Verify logout behavior when no active session exists

Benefits

• Improves authentication test coverage
• Validates request input handling
• Covers important edge cases
• Helps prevent future regressions
• Improves overall reliability of authentication routes

Testing

• Added new test cases to auth.routes.spec.cjs
• Existing tests remain unchanged
• Focused on validation and error-handling scenarios

Expected Outcome

A more comprehensive and reliable authentication test suite with stronger validation and edge-case coverage.

Type of Change

• Bug fix
• New feature
• Code style update
• Breaking change
• Documentation update

Summary by CodeRabbit

• Tests
  • Enhanced authentication test coverage with additional edge case scenarios including missing credentials, empty request bodies, and non-existent user login attempts to improve system reliability.

[netlify]

✅ Deploy Preview for github-spy ready!

Name	Link
🔨 Latest commit	0505981
🔍 Latest deploy log	https://app.netlify.com/projects/github-spy/deploys/6a144e49285ed90008150053
😎 Deploy Preview	https://deploy-preview-513--github-spy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Review limit reached

@JayRathore10, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 55 minutes and 54 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c89338c5-3774-49c1-a62d-64836df7e563

📥 Commits

Reviewing files that changed from the base of the PR and between 8c6f89a and 0505981.

📒 Files selected for processing (1)

• spec/auth.routes.spec.cjs

📝 Walkthrough

Walkthrough

This PR reformats the authentication test setup and expands test coverage with new edge case validations. The test infrastructure is cleaned up for readability, and comprehensive negative test cases are added for invalid signup and login inputs.

Changes

Auth Route Test Coverage Expansion

Layer / File(s)	Summary
Test setup initialization spec/auth.routes.spec.cjs	Express session middleware configuration and MongoDB connection setup are reformatted into multi-line structures for improved readability.
Auth test cases and edge case coverage spec/auth.routes.spec.cjs	Existing auth tests (signup success, duplicate email/username prevention, successful login) are reformatted, and new validation tests are added for non-existent user login, missing email/password in signup, empty credentials login, and empty signup request body.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• GitMetricsLab/github_tracker#286: Further extends spec/auth.routes.spec.cjs with additional auth route test modifications, directly building on overlapping test suite updates.

Suggested labels

level:intermediate, quality:clean

Poem

🐰 Test cases multiply, each edge case caught,
Validations strengthen what the builders wrought,
Empty fields and missing keys now seen,
Auth routes protected, secure and clean,
Hop onward, tests now run pristine!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	❓ Inconclusive	The PR fully addresses the core objectives of issue #512, adding test cases for signup/login validation, edge cases, and session handling. However, security checks for password hashing are not explicitly addressed.	Verify whether the new test cases include assertions for password hashing verification and that login responses don't expose password hashes, as specified in issue #512.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the primary change: adding new test coverage for authentication edge cases.
Description check	✅ Passed	The description includes all required sections (Related Issue, Description, How Has This Been Tested, Type of Change) and provides comprehensive details about the changes.
Out of Scope Changes check	✅ Passed	All changes are focused on test coverage expansion and remain within the scope of the linked issue #512.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

spec/auth.routes.spec.cjs (1)

46-169: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix test passwords to satisfy signupSchema validation (otherwise /auth/signup always 400s).

spec/auth.routes.spec.cjs uses 'password123', 'password456', and 'wrongpassword', but backend/validators/authValidator.js requires the password regex to include upper + lower + digit + a special character from @$!%*?&. Since backend/routes/auth.js applies validateRequest(signupSchema) before checking for existing users, these requests will fail early with 400 and message: 'Validation failed' (not 201/User created successfully or 400/User already exists), breaking the signup/login/logout tests.

Proposed fix (update passwords in this spec file)

       .send({
         username: 'testuser',
         email: 'test@example.com',
-        password: 'password123',
+        password: 'Password123!',
       });

Use a matching valid password (e.g., Password123!) for every signup attempt in spec/auth.routes.spec.cjs.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@spec/auth.routes.spec.cjs` around lines 46 - 169, The signup tests in
spec/auth.routes.spec.cjs use weak passwords ('password123', 'password456',
'wrongpassword') that fail validateRequest(signupSchema) (password regex
requires upper, lower, digit, and special char), causing early 400s; update
every password string used in tests (signup and login flows) to a valid value
that matches signupSchema (e.g., "Password123!") so the routes in routes/auth.js
proceed past validation and the tests exercise user-creation, duplicate-user
checks, login (post('/auth/login')) and logout (get('/auth/logout')) as
intended.

🧹 Nitpick comments (1)

spec/auth.routes.spec.cjs (1)

186-195: ⚡ Quick win

Use precise status code assertions.

All new validation tests use toBeGreaterThanOrEqual(400), which is imprecise. Based on backend/validators/validationRequest.js, validation failures return exactly 400 with a structured error response.

Consider asserting the exact status code and optionally verifying the error response structure:

📋 Proposed fix: use exact status code assertions

-    expect(res.status).toBeGreaterThanOrEqual(400);
+    expect(res.status).toBe(400);
+    expect(res.body.success).toBe(false);
+    expect(res.body.message).toBe('Validation failed');

Apply this pattern to all four new validation tests (lines 194, 205, 215, 223).

Also applies to: 197-206, 208-216, 218-224

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@spec/auth.routes.spec.cjs` around lines 186 - 195, Replace the imprecise
status assertions in the signup validation tests so they assert the exact 400
response: change expect(res.status).toBeGreaterThanOrEqual(400) to
expect(res.status).toBe(400) in the tests for missing
email/username/password/etc. (the tests that call
request(app).post('/auth/signup').send(...)); optionally add an assertion on the
response body to match the validator's structured error (e.g., check presence of
an errors array or message property) to ensure the validationRequest.js format
is returned.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@spec/auth.routes.spec.cjs`:
- Around line 173-224: Add the missing tests required by issue `#512`: create
tests verifying signup with missing username using the '/auth/signup' route and
login with missing email and missing password using '/auth/login' (distinct from
the empty-credentials test), add security tests that query the User model (e.g.,
User.findOne or equivalent used in your test suite) after signup to assert
stored passwords are hashed (not equal to the plaintext) and ensure responses
from '/auth/login' and '/auth/signup' never include password or passwordHash
fields, and add a session test calling '/auth/logout' when no session exists to
assert an appropriate no-session response; implement each as independent it(...)
cases in spec/auth.routes.spec.cjs with clear names like "should not sign up
with missing username", "should not login with missing email", "should not login
with missing password", "should store hashed passwords", "should not expose
password hash in login response", and "should handle logout with no active
session".

---

Outside diff comments:
In `@spec/auth.routes.spec.cjs`:
- Around line 46-169: The signup tests in spec/auth.routes.spec.cjs use weak
passwords ('password123', 'password456', 'wrongpassword') that fail
validateRequest(signupSchema) (password regex requires upper, lower, digit, and
special char), causing early 400s; update every password string used in tests
(signup and login flows) to a valid value that matches signupSchema (e.g.,
"Password123!") so the routes in routes/auth.js proceed past validation and the
tests exercise user-creation, duplicate-user checks, login (post('/auth/login'))
and logout (get('/auth/logout')) as intended.

---

Nitpick comments:
In `@spec/auth.routes.spec.cjs`:
- Around line 186-195: Replace the imprecise status assertions in the signup
validation tests so they assert the exact 400 response: change
expect(res.status).toBeGreaterThanOrEqual(400) to expect(res.status).toBe(400)
in the tests for missing email/username/password/etc. (the tests that call
request(app).post('/auth/signup').send(...)); optionally add an assertion on the
response body to match the validator's structured error (e.g., check presence of
an errors array or message property) to ensure the validationRequest.js format
is returned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c7d2e641-189f-4e4c-b920-83a95eb2e55c

📥 Commits

Reviewing files that changed from the base of the PR and between 6c6bc3e and 8c6f89a.

📒 Files selected for processing (1)

• spec/auth.routes.spec.cjs

[JayRathore10]

@mehul-m-prajapati Check out this PR .

[github-actions]

🎉🎉 Thank you for your contribution! Your PR #513 has been merged! 🎉🎉