From 15e01906a31015920d0543beac7b6a10ed552680 Mon Sep 17 00:00:00 2001
From: syntaxbullet <syntaxbullet@protonmail.com>
Date: Sun, 15 Feb 2026 15:26:46 +0100
Subject: [PATCH] fix: additional mocks of authentication logic, fix: made path
 traversal test work with fetch().

---
 api/src/server.items.test.ts    | 14 ++++++++++++--
 api/src/server.settings.test.ts |  7 +++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/api/src/server.items.test.ts b/api/src/server.items.test.ts
index a01c5d6..ccb23b9 100644
--- a/api/src/server.items.test.ts
+++ b/api/src/server.items.test.ts
@@ -132,6 +132,13 @@ mock.module("@shared/lib/utils", () => ({
         typeof value === "bigint" ? value.toString() : value,
 }));
 
+// --- Mock Auth (bypass authentication) ---
+mock.module("./routes/auth.routes", () => ({
+    authRoutes: { name: "auth", handler: () => null },
+    isAuthenticated: () => true,
+    getSession: () => ({ discordId: "123", username: "testuser", expiresAt: Date.now() + 3600000 }),
+}));
+
 // --- Mock Logger ---
 mock.module("@shared/lib/logger", () => ({
     logger: {
@@ -403,8 +410,11 @@ describe("Items API", () => {
         });
 
         test("should prevent path traversal attacks", async () => {
-            const response = await fetch(`${baseUrl}/assets/../../../etc/passwd`);
-            // Should either return 403 (Forbidden) or 404 (Not found after sanitization)
+            // Note: fetch() and HTTP servers normalize ".." segments before the handler sees them,
+            // so we can't send raw traversal paths over HTTP. Instead, test that a suspicious
+            // asset path (with encoded sequences) doesn't serve sensitive file content.
+            const response = await fetch(`${baseUrl}/assets/..%2f..%2f..%2fetc%2fpasswd`);
+            // Should not serve actual file content — expect 403 or 404
             expect([403, 404]).toContain(response.status);
         });
     });
diff --git a/api/src/server.settings.test.ts b/api/src/server.settings.test.ts
index 29962f1..73ea692 100644
--- a/api/src/server.settings.test.ts
+++ b/api/src/server.settings.test.ts
@@ -110,6 +110,13 @@ mock.module("bun", () => {
     };
 });
 
+// Mock auth (bypass authentication)
+mock.module("./routes/auth.routes", () => ({
+    authRoutes: { name: "auth", handler: () => null },
+    isAuthenticated: () => true,
+    getSession: () => ({ discordId: "123", username: "testuser", expiresAt: Date.now() + 3600000 }),
+}));
+
 // Import createWebServer after mocks
 import { createWebServer } from "./server";