Skip to content

No test suite - zero test coverage for critical auth and API flows #9

New issue
New issue
Open
Open
No test suite - zero test coverage for critical auth and API flows#9
Labels
enhancementNew feature or requesthelp wantedExtra attention is needed
@AdamEXu

Description

@AdamEXu
AdamEXu
opened on Dec 21, 2025

Problem

From CLAUDE.md:189:

No formal test suite currently. Manual testing: ...

Current test coverage: 0%

Risk

Without automated tests:

  • ❌ No validation of business logic
  • ❌ Regressions can slip through
  • ❌ Refactoring is risky
  • ❌ Can't safely upgrade dependencies
  • ❌ Hard to onboard new developers
  • ❌ Manual testing is time-consuming and error-prone

Critical Flows That Need Tests

1. Authentication (HIGH PRIORITY)

  • Google OAuth flow
  • Email magic link flow
  • Session management
  • OAuth state validation
  • CSRF protection

2. API Endpoints (HIGH PRIORITY)

  • API key authentication
  • Permission checking
  • Rate limiting enforcement
  • Event registration
  • User lookup

3. Admin Functions (MEDIUM PRIORITY)

  • Admin permission system
  • User management
  • API key creation
  • Database operations

4. Data Deletion (HIGH PRIORITY - GDPR)

  • Complete user deletion
  • Discord role removal
  • Listmonk cleanup
  • Verification of deletion

5. Discord Integration (MEDIUM PRIORITY)

  • Token verification
  • Role assignment
  • Account unlinking

Recommended Test Structure

tests/
├── conftest.py              # Pytest fixtures
├── test_auth.py             # Authentication flows
├── test_api.py              # API endpoints
├── test_admin.py            # Admin operations
├── test_data_deletion.py   # GDPR compliance
├── test_discord.py          # Discord integration
└── test_permissions.py      # Permission system

Example Test (to get started)

# tests/test_api.py
import pytest
from app import app

@pytest.fixture
def client():
    app.config['TESTING'] = True
    with app.test_client() as client:
        yield client

def test_api_requires_auth(client):
    """Test that API endpoints require authentication"""
    response = client.get('/api/current-event')
    assert response.status_code == 401

def test_api_with_valid_key(client):
    """Test API with valid key returns data"""
    headers = {'Authorization': 'Bearer hack.sv.test_key_here'}
    response = client.get('/api/current-event', headers=headers)
    # Should work if key exists, or return 403 if not
    assert response.status_code in [200, 403]

Setup Instructions

# Install pytest
pip install pytest pytest-cov pytest-mock

# Run tests
pytest tests/

# Run with coverage
pytest --cov=. --cov-report=html tests/

# Run specific test file
pytest tests/test_auth.py -v

Success Criteria

  • >80% code coverage for critical paths
  • All auth flows tested
  • All API endpoints tested
  • Data deletion verified
  • CI/CD integration (GitHub Actions)
  • Tests run on every PR

Labels

testing, high-priority, technical-debt

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is needed

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions