Files
app/src/__tests__/bank-accounts.test.ts
BOHA 753c16423c fix(settings): bank accounts saved blank — flatten payload + harden schema to strictObject
The bank form posted {id, bank:{...}} (nested) but the route/schema read fields
at the top level; lenient z.object silently stripped the wrapper, so every field
saved as null while returning success. Flatten the payload to top level and switch
the create/update schemas to strictObject so a future nesting 400s loudly instead
of saving a blank record. Affects both create and edit.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 19:39:43 +02:00

153 lines
4.8 KiB
TypeScript

import { describe, it, expect, beforeAll, afterAll } from "vitest";
import Fastify from "fastify";
import jwt from "jsonwebtoken";
import bankAccountsRoutes from "../routes/admin/bank-accounts";
import prisma from "../config/database";
import { config } from "../config/env";
// Fixture marker so cleanup never touches real data.
const N = "bank_accounts_test_";
let app: ReturnType<typeof Fastify>;
let token: string;
const createdIds: number[] = [];
beforeAll(async () => {
app = Fastify({ logger: false });
await app.register(bankAccountsRoutes, {
prefix: "/api/admin/bank-accounts",
});
await prisma.users
.deleteMany({ where: { username: { startsWith: N } } })
.catch(() => {});
// Admin role bypasses the settings.banking permission guard.
const adminRole = await prisma.roles.findFirst({ where: { name: "admin" } });
if (!adminRole)
throw new Error("Test setup: no admin role found — seed the database");
const user = await prisma.users.create({
data: {
username: `${N}user`,
email: `${N}user@test.local`,
password_hash: "x",
first_name: "Bank",
last_name: "Test",
is_active: true,
totp_enabled: false,
role_id: adminRole.id,
},
});
token = jwt.sign(
{ sub: user.id, username: user.username, role: "admin" },
config.jwt.secret,
{ expiresIn: config.jwt.accessTokenExpiry },
);
});
afterAll(async () => {
if (createdIds.length) {
await prisma.bank_accounts
.deleteMany({ where: { id: { in: createdIds } } })
.catch(() => {});
}
await prisma.users
.deleteMany({ where: { username: { startsWith: N } } })
.catch(() => {});
await app.close();
});
const auth = { authorization: () => `Bearer ${token}` };
describe("bank accounts — flat-body create/update persists all fields", () => {
it("creates an account from a flat top-level body and persists every field", async () => {
const payload = {
account_name: `${N}Hlavní účet`,
bank_name: "Komerční banka",
account_number: "123456789/0100",
iban: "CZ6508000000192000145399",
bic: "KOMBCZPP",
currency: "CZK",
is_default: true,
};
const post = await app.inject({
method: "POST",
url: "/api/admin/bank-accounts/",
headers: { authorization: auth.authorization() },
payload,
});
expect(post.statusCode).toBe(201);
const id = post.json().data.id as number;
expect(typeof id).toBe("number");
createdIds.push(id);
// Read back via the list endpoint and confirm NONE of the fields are blank.
const row = await prisma.bank_accounts.findUnique({ where: { id } });
expect(row?.account_name).toBe(payload.account_name);
expect(row?.bank_name).toBe(payload.bank_name);
expect(row?.account_number).toBe(payload.account_number);
expect(row?.iban).toBe(payload.iban);
expect(row?.bic).toBe(payload.bic);
expect(row?.currency).toBe("CZK");
expect(row?.is_default).toBe(true);
});
it("updates an account from a flat body that also carries the id", async () => {
const created = await prisma.bank_accounts.create({
data: { account_name: `${N}orig`, bank_name: "Orig", currency: "CZK" },
});
createdIds.push(created.id);
// Mirrors the client payload: spread fields + id (id routes the URL/method,
// is declared in the schema, and is ignored by the route which uses :id).
const put = await app.inject({
method: "PUT",
url: `/api/admin/bank-accounts/${created.id}`,
headers: { authorization: auth.authorization() },
payload: {
id: created.id,
account_name: `${N}upraveno`,
bank_name: "Nová banka",
iban: "CZ9999",
currency: "EUR",
is_default: false,
},
});
expect(put.statusCode).toBe(200);
const row = await prisma.bank_accounts.findUnique({
where: { id: created.id },
});
expect(row?.account_name).toBe(`${N}upraveno`);
expect(row?.bank_name).toBe("Nová banka");
expect(row?.iban).toBe("CZ9999");
expect(row?.currency).toBe("EUR");
});
it("rejects the old nested {bank:{...}} body shape with 400 (no silent blank save)", async () => {
const post = await app.inject({
method: "POST",
url: "/api/admin/bank-accounts/",
headers: { authorization: auth.authorization() },
payload: { bank: { account_name: `${N}nested`, bank_name: "X" } },
});
expect(post.statusCode).toBe(400);
// And nothing was persisted under that name.
const leaked = await prisma.bank_accounts.findFirst({
where: { account_name: `${N}nested` },
});
expect(leaked).toBeNull();
});
it("requires authentication", async () => {
const res = await app.inject({
method: "GET",
url: "/api/admin/bank-accounts/",
});
expect(res.statusCode).toBe(401);
});
});