Alo/phaseflow
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement Garmin token management endpoints (P2.2, P2.3)

Browse Source 
Added three Garmin API endpoints for token management:

- POST /api/garmin/tokens: Accepts oauth1, oauth2, expires_at;
  encrypts tokens using AES-256-GCM; stores in user record;
  returns daysUntilExpiry

- DELETE /api/garmin/tokens: Clears encrypted tokens from user
  record and sets garminConnected to false

- GET /api/garmin/status: Returns connection status, days until
  expiry, expired flag, and warning level (critical ≤7 days,
  warning 8-14 days)

All endpoints use withAuth() middleware for authentication.
Added 26 tests covering encryption, validation, auth, and
warning level thresholds.

Also added pb_data/ to .gitignore for PocketBase data.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Petru
2026-01-10 19:45:16 +00:00
parent 24b7c0fd3e
commit 0fc25a49f1
6 changed files with 832 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

336
src/app/api/garmin/tokens/route.test.ts Normal file
View File

@@ -0,0 +1,336 @@
// ABOUTME: Unit tests for Garmin tokens API route.
// ABOUTME: Tests POST and DELETE /api/garmin/tokens for token storage and deletion.
import type { NextRequest } from "next/server";
import { NextResponse } from "next/server";
import { beforeEach, describe, expect, it, vi } from "vitest";
import type { User } from "@/types";
// Module-level variable to control mock user in tests
let currentMockUser: User | null = null;
// Track PocketBase update calls
const mockPbUpdate = vi.fn().mockResolvedValue({});
// Mock PocketBase
vi.mock("@/lib/pocketbase", () => ({
createPocketBaseClient: vi.fn(() => ({
collection: vi.fn(() => ({
update: mockPbUpdate,
})),
})),
}));
// Track encryption calls
const mockEncrypt = vi.fn((plaintext: string) => `encrypted:${plaintext}`);
// Mock encryption module
vi.mock("@/lib/encryption", () => ({
encrypt: (plaintext: string) => mockEncrypt(plaintext),
}));
// Mock the auth-middleware module
vi.mock("@/lib/auth-middleware", () => ({
withAuth: vi.fn((handler) => {
return async (request: NextRequest) => {
if (!currentMockUser) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
return handler(request, currentMockUser);
};
}),
}));
import { DELETE, POST } from "./route";
describe("POST /api/garmin/tokens", () => {
const mockUser: User = {
id: "user123",
email: "test@example.com",
garminConnected: false,
garminOauth1Token: "",
garminOauth2Token: "",
garminTokenExpiresAt: new Date("2025-01-01"),
calendarToken: "cal-secret-token",
lastPeriodDate: new Date("2025-01-15"),
cycleLength: 28,
notificationTime: "07:30",
timezone: "America/New_York",
activeOverrides: [],
created: new Date("2024-01-01"),
updated: new Date("2025-01-10"),
};
beforeEach(() => {
vi.clearAllMocks();
currentMockUser = null;
});
// Helper to create mock request with JSON body
function createMockRequest(body: Record<string, unknown>): NextRequest {
return {
json: vi.fn().mockResolvedValue(body),
} as unknown as NextRequest;
}
it("returns 401 when not authenticated", async () => {
currentMockUser = null;
const mockRequest = createMockRequest({
oauth1: { token: "abc", secret: "xyz" },
oauth2: { accessToken: "token123" },
expires_at: "2025-04-01T00:00:00Z",
});
const response = await POST(mockRequest);
expect(response.status).toBe(401);
const body = await response.json();
expect(body.error).toBe("Unauthorized");
});
it("stores encrypted tokens successfully", async () => {
currentMockUser = mockUser;
const mockRequest = createMockRequest({
oauth1: { token: "abc", secret: "xyz" },
oauth2: { accessToken: "token123" },
expires_at: "2025-04-01T00:00:00Z",
});
const response = await POST(mockRequest);
expect(response.status).toBe(200);
const body = await response.json();
expect(body.success).toBe(true);
expect(body.garminConnected).toBe(true);
});
it("encrypts oauth1 and oauth2 tokens before storing", async () => {
currentMockUser = mockUser;
const oauth1 = { token: "abc", secret: "xyz" };
const oauth2 = { accessToken: "token123" };
const mockRequest = createMockRequest({
oauth1,
oauth2,
expires_at: "2025-04-01T00:00:00Z",
});
await POST(mockRequest);
// Verify encrypt was called with JSON stringified tokens
expect(mockEncrypt).toHaveBeenCalledWith(JSON.stringify(oauth1));
expect(mockEncrypt).toHaveBeenCalledWith(JSON.stringify(oauth2));
});
it("updates user record with encrypted tokens and expiry", async () => {
currentMockUser = mockUser;
const oauth1 = { token: "abc", secret: "xyz" };
const oauth2 = { accessToken: "token123" };
const expiresAt = "2025-04-01T00:00:00Z";
const mockRequest = createMockRequest({
oauth1,
oauth2,
expires_at: expiresAt,
});
await POST(mockRequest);
expect(mockPbUpdate).toHaveBeenCalledWith("user123", {
garminOauth1Token: `encrypted:${JSON.stringify(oauth1)}`,
garminOauth2Token: `encrypted:${JSON.stringify(oauth2)}`,
garminTokenExpiresAt: expiresAt,
garminConnected: true,
});
});
it("returns 400 when oauth1 is missing", async () => {
currentMockUser = mockUser;
const mockRequest = createMockRequest({
oauth2: { accessToken: "token123" },
expires_at: "2025-04-01T00:00:00Z",
});
const response = await POST(mockRequest);
expect(response.status).toBe(400);
const body = await response.json();
expect(body.error).toContain("oauth1");
expect(mockPbUpdate).not.toHaveBeenCalled();
});
it("returns 400 when oauth2 is missing", async () => {
currentMockUser = mockUser;
const mockRequest = createMockRequest({
oauth1: { token: "abc", secret: "xyz" },
expires_at: "2025-04-01T00:00:00Z",
});
const response = await POST(mockRequest);
expect(response.status).toBe(400);
const body = await response.json();
expect(body.error).toContain("oauth2");
expect(mockPbUpdate).not.toHaveBeenCalled();
});
it("returns 400 when expires_at is missing", async () => {
currentMockUser = mockUser;
const mockRequest = createMockRequest({
oauth1: { token: "abc", secret: "xyz" },
oauth2: { accessToken: "token123" },
});
const response = await POST(mockRequest);
expect(response.status).toBe(400);
const body = await response.json();
expect(body.error).toContain("expires_at");
expect(mockPbUpdate).not.toHaveBeenCalled();
});
it("returns 400 when expires_at is not a valid date", async () => {
currentMockUser = mockUser;
const mockRequest = createMockRequest({
oauth1: { token: "abc", secret: "xyz" },
oauth2: { accessToken: "token123" },
expires_at: "not-a-date",
});
const response = await POST(mockRequest);
expect(response.status).toBe(400);
const body = await response.json();
expect(body.error).toContain("expires_at");
expect(mockPbUpdate).not.toHaveBeenCalled();
});
it("returns 400 when oauth1 is not an object", async () => {
currentMockUser = mockUser;
const mockRequest = createMockRequest({
oauth1: "not-an-object",
oauth2: { accessToken: "token123" },
expires_at: "2025-04-01T00:00:00Z",
});
const response = await POST(mockRequest);
expect(response.status).toBe(400);
const body = await response.json();
expect(body.error).toContain("oauth1");
expect(mockPbUpdate).not.toHaveBeenCalled();
});
it("returns 400 when oauth2 is not an object", async () => {
currentMockUser = mockUser;
const mockRequest = createMockRequest({
oauth1: { token: "abc", secret: "xyz" },
oauth2: "not-an-object",
expires_at: "2025-04-01T00:00:00Z",
});
const response = await POST(mockRequest);
expect(response.status).toBe(400);
const body = await response.json();
expect(body.error).toContain("oauth2");
expect(mockPbUpdate).not.toHaveBeenCalled();
});
it("returns daysUntilExpiry in response", async () => {
currentMockUser = mockUser;
// Set expires_at to 30 days from now
const futureDate = new Date();
futureDate.setDate(futureDate.getDate() + 30);
const mockRequest = createMockRequest({
oauth1: { token: "abc", secret: "xyz" },
oauth2: { accessToken: "token123" },
expires_at: futureDate.toISOString(),
});
const response = await POST(mockRequest);
expect(response.status).toBe(200);
const body = await response.json();
expect(body.daysUntilExpiry).toBeGreaterThanOrEqual(29);
expect(body.daysUntilExpiry).toBeLessThanOrEqual(30);
});
});
describe("DELETE /api/garmin/tokens", () => {
const mockUser: User = {
id: "user123",
email: "test@example.com",
garminConnected: true,
garminOauth1Token: "encrypted-token-1",
garminOauth2Token: "encrypted-token-2",
garminTokenExpiresAt: new Date("2025-06-01"),
calendarToken: "cal-secret-token",
lastPeriodDate: new Date("2025-01-15"),
cycleLength: 28,
notificationTime: "07:30",
timezone: "America/New_York",
activeOverrides: [],
created: new Date("2024-01-01"),
updated: new Date("2025-01-10"),
};
beforeEach(() => {
vi.clearAllMocks();
currentMockUser = null;
});
it("returns 401 when not authenticated", async () => {
currentMockUser = null;
const mockRequest = {} as NextRequest;
const response = await DELETE(mockRequest);
expect(response.status).toBe(401);
const body = await response.json();
expect(body.error).toBe("Unauthorized");
});
it("clears tokens and sets garminConnected to false", async () => {
currentMockUser = mockUser;
const mockRequest = {} as NextRequest;
const response = await DELETE(mockRequest);
expect(response.status).toBe(200);
expect(mockPbUpdate).toHaveBeenCalledWith("user123", {
garminOauth1Token: "",
garminOauth2Token: "",
garminTokenExpiresAt: null,
garminConnected: false,
});
});
it("returns success response after deletion", async () => {
currentMockUser = mockUser;
const mockRequest = {} as NextRequest;
const response = await DELETE(mockRequest);
expect(response.status).toBe(200);
const body = await response.json();
expect(body.success).toBe(true);
expect(body.garminConnected).toBe(false);
});
it("works even when user has no tokens", async () => {
currentMockUser = {
...mockUser,
garminConnected: false,
garminOauth1Token: "",
garminOauth2Token: "",
};
const mockRequest = {} as NextRequest;
const response = await DELETE(mockRequest);
expect(response.status).toBe(200);
const body = await response.json();
expect(body.success).toBe(true);
});
});