Skip to main content
Back to Elite Events

Elite Events Documentation

Technical documentation, guides, and API references for the Elite Events platform.

Test Coverage Reports/Auth API Coverage

Auth API Test Coverage Summary

Overview

This document provides a comprehensive overview of the test coverage for Authentication API routes in the Elite Events application.

Generated: November 28, 2025 Status: COMPREHENSIVE - All tested routes have exceptional coverage Total API Tests: 60 tests across 2 route files Coverage Achievement: 100% statements, 97.05% branches, 100% functions, 100% lines

Test Coverage Summary

Overall Auth API Coverage

File             | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
-----------------|---------|----------|---------|---------|-------------------
All files        |     100 |    97.05 |     100 |     100 |
 forgot-password |     100 |      100 |     100 |     100 |
  route.ts       |     100 |      100 |     100 |     100 |
 signup          |     100 |    94.44 |     100 |     100 |
  route.ts       |     100 |    94.44 |     100 |     100 | 26 (branch)

Test Breakdown by Route

1. /api/auth/signup - User Registration Route

File: src/app/api/auth/signup/route.ts Test File: src/app/api/auth/__tests__/signup.test.ts Test Count: 30 tests Coverage: 100% statements, 94.44% branches, 100% functions, 100% lines

POST /api/auth/signup - User Registration (30 tests)

Successful Signup Tests (3 tests):

  • ✅ Creates user with valid data
  • ✅ Hashes password before storage
  • ✅ Creates user without name (optional field)

Validation Error Tests (5 tests):

  • ✅ Rejects invalid email format
  • ✅ Rejects password shorter than 6 characters
  • ✅ Rejects mismatched passwords
  • ✅ Rejects missing email
  • ✅ Rejects missing password

Duplicate Email Handling (1 test):

  • ✅ Rejects duplicate email

Rate Limiting Tests (2 tests):

  • ✅ Enforces rate limit after 5 requests
  • ✅ Includes rate limit headers in response

Error Handling Tests (3 tests):

  • ✅ Returns 500 on database error
  • ✅ Returns 500 on bcrypt error
  • ✅ Returns 500 on user creation error

Email Verification Tests (4 tests):

  • ✅ Generates verification token
  • ✅ Sends verification email after signup
  • ✅ Includes emailVerificationRequired flag in response
  • ✅ Succeeds even if email sending fails

Email Normalization Tests (2 tests):

  • ✅ Converts email to lowercase for storage
  • ✅ Checks for existing user with case-insensitive email

Password Validation Edge Cases (4 tests):

  • ✅ Accepts password with special characters
  • ✅ Accepts long password (100 characters)
  • ✅ Rejects password with exactly 5 characters
  • ✅ Accepts password with exactly 6 characters (minimum)

Name Field Validation (2 tests):

  • ✅ Accepts name with spaces
  • ✅ Accepts name with special characters

Response Security Tests (2 tests):

  • ✅ Does not include password in response
  • ✅ Does not include verificationToken in response

IP-based Rate Limiting (2 tests):

  • ✅ Rate limits based on x-forwarded-for header
  • ✅ Rate limits based on x-real-ip header when x-forwarded-for is missing

Key Features Tested

  • User registration with email, password, and optional name
  • Password hashing with bcryptjs (10 rounds)
  • Email verification token generation using crypto
  • Email sending for verification
  • Rate limiting (5 signups per hour per IP)
  • Input validation using Zod schema
  • Case-insensitive email handling
  • Security: passwords and tokens excluded from responses
  • Error handling for database, bcrypt, and email failures

2. /api/auth/forgot-password - Password Reset Request Route

File: src/app/api/auth/forgot-password/route.ts Test File: src/app/api/auth/__tests__/forgot-password.test.ts Test Count: 30 tests Coverage: 100% all metrics

POST /api/auth/forgot-password - Password Reset Request (30 tests)

Successful Request Tests (4 tests):

  • ✅ Returns success message for existing user
  • ✅ Returns same success message for non-existent user (prevents email enumeration)
  • ✅ Deletes existing reset tokens before creating new one
  • ✅ Creates token with 1 hour expiration

Validation Error Tests (3 tests):

  • ✅ Rejects invalid email format
  • ✅ Rejects missing email
  • ✅ Rejects empty email

Rate Limiting Tests (2 tests):

  • ✅ Enforces rate limit after 5 requests
  • ✅ Includes rate limit headers

Error Handling Tests (2 tests):

  • ✅ Returns 500 on database error
  • ✅ Returns success even if email sending fails

Email Normalization (1 test):

  • ✅ Converts email to lowercase for lookup

Token Security Tests (2 tests):

  • ✅ Hashes token before storage
  • ✅ Generates random token using crypto

Database Operations Tests (4 tests):

  • ✅ Deletes all existing reset tokens for user
  • ✅ Creates token with correct user association
  • ✅ Handles database error when deleting old tokens
  • ✅ Handles database error when creating new token

Security Headers Tests (2 tests):

  • ✅ Includes security headers in success response
  • ✅ Includes security headers in error response

IP Extraction for Rate Limiting (3 tests):

  • ✅ Uses x-forwarded-for header for IP
  • ✅ Uses x-real-ip header when x-forwarded-for is missing
  • ✅ Uses unknown as fallback IP

Email Edge Cases (5 tests):

  • ✅ Handles email with plus sign addressing
  • ✅ Handles email with subdomain
  • ✅ Rejects email with spaces
  • ✅ Rejects email without domain
  • ✅ Rejects email without @ symbol

Response Consistency Tests (2 tests):

  • ✅ Returns same status code for existing and non-existing users
  • ✅ Returns same message structure for existing and non-existing users

Key Features Tested

  • Password reset flow initiation
  • Email enumeration prevention (same response for existing/non-existing users)
  • Rate limiting (5 requests per hour per IP)
  • Token generation using crypto (32 random bytes)
  • Token hashing with bcryptjs before storage
  • Token expiration (1 hour)
  • Email sending for password reset
  • Input validation using Zod schema
  • Case-insensitive email handling
  • Security headers on all responses
  • Database transaction handling
  • Deletion of old reset tokens

Security Considerations

Signup Route Security

  1. Password Security

    • Passwords hashed with bcryptjs using 10 rounds
    • Plain text passwords never stored
    • Passwords excluded from API responses

  2. Email Verification

    • Verification token generated using crypto.randomBytes
    • Token sent via email (not exposed in responses)
    • emailVerified set to null until verified

  3. Rate Limiting

    • 5 signups per hour per IP address
    • Prevents automated account creation
    • Rate limit headers included in responses

  4. Input Validation

    • Email format validation
    • Password minimum length (6 characters)
    • Password confirmation matching
    • Duplicate email prevention

Forgot Password Route Security

  1. Email Enumeration Prevention

    • Same response for existing and non-existing users
    • Prevents attackers from discovering registered emails
    • Consistent timing for all responses

  2. Token Security

    • Tokens generated using crypto.randomBytes (32 bytes)
    • Tokens hashed with bcryptjs before storage
    • Plain text token only sent via email
    • Tokens expire after 1 hour

  3. Rate Limiting

    • 5 requests per hour per IP address
    • Prevents brute force token generation
    • Rate limit headers included

  4. Token Management

    • Old tokens deleted before creating new ones
    • Prevents multiple active reset tokens
    • Clean database state

Mock Strategy

Mocked Dependencies

Both test suites utilize comprehensive mocking:

  1. Prisma Client

    • All database operations mocked
    • Consistent return values for predictable tests
    • Error scenarios tested

  2. bcryptjs

    • Hash function mocked to return consistent values
    • Allows testing without actual hashing overhead
    • Error cases tested

  3. crypto

    • randomBytes mocked for predictable token generation
    • Ensures consistent test results

  4. Email Service

    • sendVerificationEmail mocked
    • sendPasswordResetEmail mocked
    • Both success and failure scenarios tested

  5. Logger

    • All logging functions mocked
    • Prevents console noise during tests
    • Allows verification of logging behavior

  6. Rate Limit

    • clearRateLimit utility used in beforeEach
    • Ensures clean state between tests
    • Allows testing rate limit enforcement

Test Organization

Test Structure

Tests are organized into logical describe blocks:

Signup Tests:

  1. Successful signup
  2. Validation errors
  3. Duplicate email handling
  4. Rate limiting
  5. Error handling
  6. Email verification
  7. Email normalization
  8. Password validation edge cases
  9. Name field validation
  10. Response security
  11. IP-based rate limiting

Forgot Password Tests:

  1. Successful requests
  2. Validation errors
  3. Rate limiting
  4. Error handling
  5. Email normalization
  6. Token security
  7. Database operations
  8. Security headers
  9. IP extraction for rate limiting
  10. Email edge cases
  11. Response consistency

Coverage Achievements

Statements: 100%

All code statements in both routes are executed during tests.

Branches: 97.05% (Overall)

  • forgot-password: 100% - All branches covered
  • signup: 94.44% - One branch uncovered (line 26: Retry-After header condition)

Functions: 100%

All functions in both routes are tested.

Lines: 100%

All lines in both routes are covered.

Running the Tests

Run Signup Tests Only

npm test -- src/app/api/auth/__tests__/signup.test.ts --coverage

Run Forgot Password Tests Only

npm test -- src/app/api/auth/__tests__/forgot-password.test.ts --coverage

Run All Auth Tests

npm test -- src/app/api/auth/__tests__/signup.test.ts src/app/api/auth/__tests__/forgot-password.test.ts --coverage

Run with Coverage for Specific Files

npm test -- src/app/api/auth/__tests__/signup.test.ts --coverage --collectCoverageFrom="src/app/api/auth/signup/route.ts"

Recommendations

Areas for Further Testing

While the current test coverage is excellent, the following areas could be enhanced:

  1. Integration Testing

    • Test actual email sending in integration environment
    • Test actual database operations
    • Test with real bcrypt hashing

  2. Performance Testing

    • Test behavior under high load
    • Verify rate limiting across multiple IPs
    • Test database connection pooling

  3. Additional Edge Cases

    • Test with very long email addresses
    • Test with international characters in names
    • Test with various email providers

  4. Additional Routes

    • Tests for /api/auth/verify-email
    • Tests for /api/auth/reset-password
    • Tests for /api/auth/resend-verification

Maintenance Notes

  • Mock implementations should be kept in sync with actual implementations
  • When adding new features, ensure corresponding tests are added
  • Maintain minimum 95% coverage for all auth routes
  • Review and update security tests as threats evolve

Summary

The authentication API routes have exceptional test coverage with 60 comprehensive tests covering:

  • 30 tests for user signup/registration
  • 30 tests for password reset requests

All tests pass successfully with:

  • 100% statement coverage
  • 97.05% branch coverage
  • 100% function coverage
  • 100% line coverage

The tests thoroughly validate:

  • Business logic and workflows
  • Security features (rate limiting, email enumeration prevention, token security)
  • Input validation and error handling
  • Edge cases and boundary conditions
  • Response formats and data sanitization

This comprehensive test suite provides confidence in the authentication system's reliability, security, and correctness.

Documentation | Elite Events | Philip Rehberger