DOCs + Tests[api]#3
Conversation
|
Thanks for this, the docs are a genuine upgrade and the test scaffold is overdue. A few things to sort before it can merge though. Blocking
Non-blocking nits
Happy to re-review the moment CI is green. Nice work on the docs especially. |
RaghavDabra
left a comment
There was a problem hiding this comment.
Review: DOCs + Tests [api] (#3)
Good coverage of the route layer and the docs are genuinely useful. Main concerns are around the CSRF dependency....Requesting changes on the CSRF item before merge.
Blocking
csrf-csrfis added as a dependency but I don't see it wired in. package.json gains"csrf-csrf": "^4.0.3", and the CodeQL "Missing CSRF middleware" alert is firing 10×, but nothing in this diff actually installs the middleware on the app. Two outcomes, both need addressing:- If the intent was to suppress the alert by adding test files to
paths-ignore, say so explicitly — those 10 alerts are firing on the test harnesscookieParser()calls, which are false positives. The real question is whether the production app (server/index.ts) has CSRF protection. That's not shown here. - If you do wire
csrf-csrfin globally, it must exempt the Cashfree webhook (POST /api/payments/webhooks/cashfree) and any bearer-token API paths — external callers and mobile clients can't present a CSRF token. Otherwise payments break. Worth a follow-up ticket reference either way.
- If the intent was to suppress the alert by adding test files to
Coverage gate — needs a decision
-
The 60% gate looks global but is scoped to a hand-picked file list. The
coverage.includeinvite.config.tslists ~14 files (the ones this PR happens to test) and explicitly excludes the service/repository layer. Socoverage-gatecan pass at "60% lines / 50% branches" while the bulk of business logic (searchEngine,foodService,ridesService, repositories) sits at 0% and isn't counted. The exclusion is documented with a follow-up issue, which is the right instinct — but the gate as written gives a false sense of safety. Suggest either naming it honestly (it's a "tested-files gate," not a project gate) or counting the untested files so the number reflects reality and trends upward as coverage lands. -
Coverage is computed up to three times per run.
unitrunstest:coverageon Node 20 and 22, thencoverage-gatere-runs it again from scratch with CLI threshold flags that duplicate thethresholdsblock already invite.config.ts. Since the config thresholds already fail theunitjob on a breach,coverage-gateis largely redundant compute. Either drop the separate job or have it download the uploaded artifact instead of re-running.
Needs confirmation
-
smokejob runspnpm dev:server— does that script exist? The package.json diff only addstest:runandtest:coverage; I don't seedev:server. If it's not already in scripts, the smoke job fails immediately. Please confirm. -
Payment-intent endpoints accept unauthenticated requests by design?
does not set x-user-id when unauthenticatedasserts intents can be created without auth. If that's intentional (guest checkout) it's fine, but worth a comment in the route — otherwise it reads like a missing auth guard on a money path.
Non-blocking
-
Inaccurate comment in
vite.config.ts. The note says vitest's v8 provider "defaults to requiring 100% coverage project-wide." It doesn't — there's no default threshold; thethresholdsblock you added is what creates the gate. The comment will mislead the next person who touches this. Reword to "without this block there is no coverage gate." -
TESTING.md documents an SSE test for an endpoint that doesn't exist yet.
GET /api/sse/price-alertsis described as "planned" in ARCHITECTURE.md but the testing guide presents a passing-looking test for it. Mark it clearly as aspirational so nobody assumes it's wired. -
JWT_SECRET is set at module load with a different value per test file. Works under Vitest's default file isolation, but will produce cross-test token failures if isolation is ever disabled (
pool: 'threads'withisolate: false). A shared test setup file would be more robust. Minor. -
PR scope is large — docs, route tests, three CI workflows, a new runtime dependency, and a vite config rework in one PR. The
csrf-csrfdependency in particular doesn't belong with a "DOCs + Tests" PR; splitting it out would make the security change reviewable on its own.
We needed a better docs for later purpose, and also needed to test the api with mock data
which has passed on my end and works fine
also added a test.yml for the github actions to run the test.
so far everything looks good will go ahead with new APIs
for future reference please run this before committing
to this repo
closes #2