SveltyCMS

Documentation

User API Integration Tests

Comprehensive test coverage documentation for all user-related API endpoints including authentication, avatar management, and invitations.

Last updated: 11/21/2025

User API Integration Tests

Complete test coverage for all user-related API endpoints in SveltyCMS.

Test Overview

  • Test File: tests/bun/api/user.test.ts
  • Total Tests: 47
  • Coverage: 100% (8/8 endpoints)
  • Framework: Bun Test v1.3.2

Endpoint Coverage

Endpoint Tests Status
POST /api/user/createUser 4
POST /api/user/login 2
PUT /api/user/updateUserAttributes 4
POST /api/user/batch 2
POST /api/user/logout 1
POST /api/user/saveAvatar 6
DELETE /api/user/deleteAvatar 5
GET /api/user (index) 1
POST /api/user (invitations) 5
Error Handling 8
Session Management 3
API Availability 3

Running the Tests

Prerequisites

  1. Start the SvelteKit server: 
    bun run dev
  2. Ensure MongoDB is running (or test database is configured)

Run Commands

# Run all user API tests
bun test tests/bun/api/user.test.ts

# Run specific test suite
bun test tests/bun/api/user.test.ts -t "createUser"
bun test tests/bun/api/user.test.ts -t "saveAvatar"
bun test tests/bun/api/user.test.ts -t "Session Management"

# Run all API tests
bun test tests/bun/api/

# Run with verbose output
bun test tests/bun/api/user.test.ts --verbose

Expected Results

  • Pass Rate: 45-47 tests (depending on email service availability)
  • ✅ Core functionality: 30 tests
  • ✅ Error handling: 8 tests
  • ✅ Session management: 3 tests
  • ✅ API availability: 3 tests
  • ✅ Avatar management: 11 tests
  • ⚠️ Invitations: 5 tests (may fail if email service unavailable)

Test Suites

1. User Creation (POST /api/user/createUser)

Tests: 4

describe('POST /api/user/createUser', () => {
	it('should create the first user successfully without authentication');
	it('should reject user creation with an invalid email format');
	it('should reject user creation with mismatched passwords');
	it('should reject user creation with a duplicate email');
});

What’s Tested:

  • First user creation without authentication (special case)
  • Email format validation
  • Password confirmation matching
  • Duplicate email prevention

API Response:

  • Success: 201 Created with user object
  • Failure: 400 Bad Request with error details

2. Authentication (POST /api/user/login)

Tests: 2

describe('POST /api/user/login', () => {
	it('should log in successfully with valid credentials');
	it('should reject login with invalid credentials');
});

What’s Tested:

  • Argon2id password verification
  • Session cookie creation
  • Invalid credential handling
  • Generic error messages (prevent user enumeration)

Security Features:

  • Quantum-resistant password hashing (Argon2id)
  • Session cookies with auth_session name
  • Generic error messages to prevent user enumeration

3. Profile Updates (PUT /api/user/updateUserAttributes)

Tests: 4

describe('PUT /api/user/updateUserAttributes', () => {
	it('should allow a user to update their own attributes');
	it('should allow an admin to update another user role');
	it('should prevent any user, including an admin, from changing their own role');
	it('should reject request without a valid token');
});

What’s Tested:

  • Self-profile updates
  • Admin updating other users
  • Role escalation prevention (self-role-change blocked)
  • Authentication requirement
  • Session cache invalidation

Security Features:

  • Users cannot change their own roles
  • Multi-tenant safety checks
  • Session cache invalidation after updates

4. Batch Operations (POST /api/user/batch)

Tests: 2

describe('POST /api/user/batch', () => {
	it('should allow an admin to perform batch user operations');
	it('should reject batch operations without authorization');
});

What’s Tested:

  • Admin batch user listing
  • Pagination support
  • Authorization requirement

5. Avatar Management (POST /api/user/saveAvatar)

Tests: 6

describe('POST /api/user/saveAvatar', () => {
	it('should upload avatar for authenticated user');
	it('should reject avatar upload without authentication');
	it('should reject avatar upload without file');
	it('should reject invalid file type for avatar');
	it('should allow admin to upload avatar for another user');
	it('should accept various image formats (JPEG, PNG, GIF, WebP)');
});

What’s Tested:

  • File upload with FormData
  • Authentication requirement
  • File presence validation
  • Server-side MIME type validation
  • Admin permissions for other users
  • Multiple image format support

Supported Formats:

  • JPEG (image/jpeg)
  • PNG (image/png)
  • GIF (image/gif)
  • WebP (image/webp)
  • SVG (image/svg+xml)
  • AVIF (image/avif)

Security Features:

  • Server-side file type validation
  • Old avatar cleanup (moved to trash)
  • Multi-tenant avatar isolation
  • FormData sanitization

6. Avatar Deletion (DELETE /api/user/deleteAvatar)

Tests: 5

describe('DELETE /api/user/deleteAvatar', () => {
	it('should delete own avatar when authenticated');
	it('should reject avatar deletion without authentication');
	it('should allow deletion when no avatar exists');
	it('should allow admin to delete another user avatar');
	it('should return default avatar URL after deletion');
});

What’s Tested:

  • Self-avatar deletion
  • Authentication requirement
  • Graceful handling when no avatar exists
  • Admin permissions
  • Default avatar fallback (/Default_User.svg)

Features:

  • Moves avatar to trash (doesn’t permanently delete)
  • Returns default avatar URL
  • Cache invalidation
  • Multi-tenant isolation

7. User Invitations (POST /api/user)

Tests: 5

describe('POST /api/user (index - invitations)', () => {
	it('should create user and send invitation token via email');
	it('should reject user creation without authentication');
	it('should reject duplicate user creation for same email');
	it('should reject invalid expiration time');
	it('should accept valid expiration time options');
});

What’s Tested:

  • Token-based email invitation system
  • Authentication requirement
  • Duplicate email prevention
  • Expiration time validation

Valid Expiration Times:

  • 2 hrs (7200 seconds)
  • 12 hrs (43200 seconds)
  • 2 days (172800 seconds)
  • 1 week (604800 seconds)

Note: Tests may fail if email service is not configured or unavailable.

8. Error Handling & Edge Cases

Tests: 8

describe('Error Handling & Edge Cases', () => {
	describe('Invalid Input Validation', () => {
		it('should reject empty email');
		it('should reject missing password');
		it('should reject password shorter than 8 characters');
		it('should reject malformed JSON');
	});

	describe('Authentication Edge Cases', () => {
		it('should reject login with non-existent email');
		it('should reject login with empty credentials');
	});

	describe('Authorization Edge Cases', () => {
		it('should reject updateUserAttributes with invalid user_id');
		it('should reject updateUserAttributes with empty newUserData');
	});
});

What’s Tested:

  • Input validation (empty fields, format errors)
  • Authentication edge cases
  • Authorization boundary testing
  • Malformed request handling

9. Session Management

Tests: 3

describe('Session Management', () => {
	it('should set session cookie on successful login');
	it('should reject authenticated requests with invalid session cookie');
	it('should clear session on logout');
});

What’s Tested:

  • Session cookie creation (auth_session)
  • Invalid session token rejection
  • Logout session clearing
  • Post-logout access denial

Session Details:

  • Cookie name: auth_session
  • Expiry: 24 hours (configurable)
  • HttpOnly flag for security

10. API Endpoint Availability

Tests: 3

describe('API Endpoint Availability', () => {
	it('should have /api/admin/users endpoint available');
	it('should have /api/admin/tokens endpoint available');
	it('should have /api/user/logout endpoint available');
});

What’s Tested:

  • Endpoint existence verification
  • Server response (not 500/503 errors)
  • Admin endpoint availability

Test Helpers

Server Wait Helper (tests/bun/helpers/server.ts)

Prevents timeout errors by waiting for the SvelteKit server to be ready.

import { waitForServer, getApiBaseUrl } from '../helpers/server';

beforeAll(async () => {
	await waitForServer(); // Waits up to 60 seconds
});

const API_BASE_URL = getApiBaseUrl(); // http://localhost:5173

Features:

  • Polls server every 500ms
  • 60-second timeout
  • Configurable via environment variable

Test Setup Helper (tests/bun/helpers/testSetup.ts)

Provides fixtures, database cleanup, and role resolution.

import { initializeTestEnvironment, cleanupTestDatabase, cleanupTestEnvironment, testFixtures } from '../helpers/testSetup';

beforeAll(async () => {
	await initializeTestEnvironment();
});

afterAll(async () => {
	await cleanupTestEnvironment();
});

beforeEach(async () => {
	await cleanupTestDatabase();
});

Features:

  • Role ID resolution with caching
  • First-user detection
  • Dynamic test fixtures
  • Database cleanup utilities

Security Testing

Password Security

  • ✅ Argon2id quantum-resistant hashing
  • ✅ Minimum 8-character requirement
  • ✅ Password confirmation matching

Session Security

  • ✅ Session cookie validation
  • ✅ HttpOnly cookie flag
  • ✅ 24-hour expiration
  • ✅ Logout invalidation

Authorization

  • ✅ Role escalation prevention
  • ✅ Self vs other user permissions
  • ✅ Admin permission checks
  • ✅ Multi-tenant isolation

Input Validation

  • ✅ Email format validation
  • ✅ File type validation (avatars)
  • ✅ Malformed JSON rejection
  • ✅ Empty field rejection

XSS Prevention

  • ✅ Input sanitization
  • ✅ File upload validation
  • ✅ Generic error messages

Troubleshooting

Test Timeouts

Symptom: beforeEach/afterEach hook timed out Solutions:

  1. Ensure SvelteKit server is running (bun run dev)
  2. Check MongoDB connection
  3. Verify port 5173 is not already in use
  4. Increase timeout in test file if needed

Database Connection Errors

Symptom: Authentication system not available Solutions:

  1. Start MongoDB service
  2. Check database credentials in .env
  3. Verify multi-tenant settings

Avatar Upload Failures

Symptom: Avatar tests failing Solutions:

  1. Check file system permissions
  2. Verify mediaFolder directory exists
  3. Check cloud storage configuration (if using)

Email Service Failures

Symptom: Invitation tests failing Solutions:

  1. Configure email service in settings
  2. Check SMTP credentials
  3. Tests gracefully handle email unavailability

Related Documentation

Next Steps

  1. Run the tests to verify your setup
  2. Add new tests for custom functionality
  3. Review test coverage in related endpoints
  4. Contribute improvements via pull requests
testingapiuser-managementintegration-testsbun