fix: additional mocks of authentication logic, fix: made path traversal test work with fetch().

api/src/server.items.test.ts

@@ -132,6 +132,13 @@ mock.module("@shared/lib/utils", () => ({
         typeof value === "bigint" ? value.toString() : value,
 }));
 
+// --- Mock Auth (bypass authentication) ---
+mock.module("./routes/auth.routes", () => ({
+    authRoutes: { name: "auth", handler: () => null },
+    isAuthenticated: () => true,
+    getSession: () => ({ discordId: "123", username: "testuser", expiresAt: Date.now() + 3600000 }),
+}));
+
 // --- Mock Logger ---
 mock.module("@shared/lib/logger", () => ({
     logger: {
@@ -403,8 +410,11 @@ describe("Items API", () => {
         });
 
         test("should prevent path traversal attacks", async () => {
-            const response = await fetch(`${baseUrl}/assets/../../../etc/passwd`);
-            // Should either return 403 (Forbidden) or 404 (Not found after sanitization)
+            // Note: fetch() and HTTP servers normalize ".." segments before the handler sees them,
+            // so we can't send raw traversal paths over HTTP. Instead, test that a suspicious
+            // asset path (with encoded sequences) doesn't serve sensitive file content.
+            const response = await fetch(`${baseUrl}/assets/..%2f..%2f..%2fetc%2fpasswd`);
+            // Should not serve actual file content — expect 403 or 404
             expect([403, 404]).toContain(response.status);
         });
     });

api/src/server.settings.test.ts

@@ -110,6 +110,13 @@ mock.module("bun", () => {
     };
 });
 
+// Mock auth (bypass authentication)
+mock.module("./routes/auth.routes", () => ({
+    authRoutes: { name: "auth", handler: () => null },
+    isAuthenticated: () => true,
+    getSession: () => ({ discordId: "123", username: "testuser", expiresAt: Date.now() + 3600000 }),
+}));
+
 // Import createWebServer after mocks
 import { createWebServer } from "./server";