Lint errors in test scripts

Author: sabbas-ctrl

app/controllers/authController.js

@@ -123,8 +123,12 @@ export const login = async (req, res) => {
 // === LOGOUT ===
 export const logout = async (req, res) => {
   try {
-    logger.info(`User logout attempt`);
-    res.status(200).json({ message: 'Logout handled on client side. Token deleted.' });
+    const userId = req.user?.id; // if you have verifyToken middleware
+    if (userId) {
+      await User.findByIdAndUpdate(userId, { $unset: { refreshToken: 1 } });
+      logger.info(`User ${userId} logged out — refresh token removed from DB`);
+    }
+    res.status(200).json({ message: 'Logout successful. Refresh token removed.' });
   } catch (err) {
     logger.error('Logout error', err);
     res.status(500).json({ message: 'Server error during logout.' });
@@ -137,17 +141,20 @@ export const refreshToken = async (req, res) => {
   if (!token) return res.status(401).json({ message: 'Refresh token required' });
 
   try {
+    console.log("Incoming refresh token:", token);
     const user = await User.findOne({ refreshToken: token });
+    console.log("User found:", !!user);
+
     if (!user) return res.status(403).json({ message: 'Invalid refresh token' });
 
-    jwt.verify(token, JWT_REFRESH_SECRET, (err, decoded) => {
+    jwt.verify(token, JWT_REFRESH_SECRET, async (err, decoded) => {
       if (err || decoded.id !== user._id.toString()) {
         return res.status(403).json({ message: 'Invalid or expired refresh token' });
       }
 
       const { accessToken, refreshToken: newRefreshToken } = generateTokens(user);
       user.refreshToken = newRefreshToken;
-      user.save();
+      await user.save(); // ✅ Ensure DB is updated before returning
 
       res.json({ accessToken, refreshToken: newRefreshToken });
     });
@@ -157,6 +164,7 @@ export const refreshToken = async (req, res) => {
   }
 };
 
+
 // === DEV REGISTER ===
 export const devRegister = async (req, res) => {
   try {

app/jobs/tokenCleanupJob.js

@@ -0,0 +1,75 @@
+import cron from 'node-cron';
+import jwt from 'jsonwebtoken';
+import User from '../models/User.js';
+import winston from 'winston';
+import nodemailer from 'nodemailer';
+import dotenv from 'dotenv';
+
+dotenv.config();
+
+// Logger setup
+const logger = winston.createLogger({
+  level: 'info',
+  format: winston.format.combine(
+    winston.format.timestamp(),
+    winston.format.json()
+  ),
+  transports: [new winston.transports.File({ filename: 'logs/auth.log' })],
+});
+
+// Email transport (only if email reporting enabled)
+let transporter = null;
+if (process.env.SEND_CLEANUP_EMAIL === 'true') {
+  transporter = nodemailer.createTransport({
+    service: process.env.EMAIL_SERVICE, // e.g., 'gmail'
+    auth: {
+      user: process.env.EMAIL_USER,
+      pass: process.env.EMAIL_PASS
+    }
+  });
+}
+
+const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET;
+
+async function cleanupExpiredTokens() {
+  logger.info("🧹 Starting refresh token cleanup...");
+
+  const usersWithTokens = await User.find({ refreshToken: { $exists: true, $ne: null } });
+  let removedCount = 0;
+  let keptCount = 0;
+
+  for (const user of usersWithTokens) {
+    try {
+      // Verify without throwing
+      jwt.verify(user.refreshToken, JWT_REFRESH_SECRET);
+      keptCount++;
+    } catch (err) {
+      if (err.name === 'TokenExpiredError') {
+        await User.updateOne({ _id: user._id }, { $unset: { refreshToken: "" } });
+        removedCount++;
+      } else {
+        logger.error(`❌ Error verifying token for ${user.email}: ${err.message}`);
+      }
+    }
+  }
+
+  const summary = `✅ Cleanup complete: Removed ${removedCount} expired refresh tokens, kept ${keptCount} active ones.`;
+  logger.info(summary);
+  console.log(summary);
+
+  // Optional email report
+  if (transporter) {
+    await transporter.sendMail({
+      from: process.env.EMAIL_USER,
+      to: process.env.CLEANUP_EMAIL_TO,
+      subject: "Refresh Token Cleanup Summary",
+      text: summary
+    });
+    logger.info("📧 Cleanup summary email sent.");
+  }
+}
+
+// Schedule job — daily at midnight
+cron.schedule('0 0 * * *', cleanupExpiredTokens);
+
+export default cleanupExpiredTokens;

app/logs/auth.log

@@ -20,3 +20,28 @@
 {"level":"info","message":"✅ User registered: viewer_1754615267686@test.com by 68954de468228c1b5a79ecaa"}
 {"level":"info","message":"✅ User login: viewer_1754615267686@test.com"}
 {"level":"info","message":"User logout attempt"}
+{"level":"info","message":"✅ User login: sabbbas.a30@gmail.com"}
+{"level":"info","message":"✅ User login: sabbbas.a30@gmail.com"}
+{"level":"info","message":"✅ User registered: viewer_1754615939253@test.com by 68954de468228c1b5a79ecaa"}
+{"level":"info","message":"✅ User login: viewer_1754615939253@test.com"}
+{"level":"info","message":"User logout attempt"}
+{"level":"info","message":"✅ User login: sabbbas.a30@gmail.com"}
+{"level":"info","message":"✅ User login: sabbbas.a30@gmail.com"}
+{"level":"info","message":"✅ User registered: viewer_1754616462441@test.com by 68954de468228c1b5a79ecaa"}
+{"level":"info","message":"✅ User login: viewer_1754616462441@test.com"}
+{"level":"info","message":"User logout attempt"}
+{"level":"info","message":"✅ User login: sabbbas.a30@gmail.com"}
+{"level":"info","message":"✅ User login: sabbbas.a30@gmail.com"}
+{"level":"info","message":"✅ User registered: viewer_1754616551458@test.com by 68954de468228c1b5a79ecaa"}
+{"level":"info","message":"✅ User login: viewer_1754616551458@test.com"}
+{"level":"info","message":"User logout attempt"}
+{"level":"info","message":"✅ User login: sabbbas.a30@gmail.com"}
+{"level":"info","message":"✅ User login: sabbbas.a30@gmail.com"}
+{"level":"info","message":"✅ User registered: viewer_1754617415185@test.com by 68954de468228c1b5a79ecaa"}
+{"level":"info","message":"✅ User login: viewer_1754617415185@test.com"}
+{"level":"info","message":"User logout attempt"}
+{"level":"info","message":"✅ User login: sabbbas.a30@gmail.com"}
+{"level":"info","message":"✅ User login: sabbbas.a30@gmail.com"}
+{"level":"info","message":"✅ User registered: viewer_1754617445194@test.com by 68954de468228c1b5a79ecaa"}
+{"level":"info","message":"✅ User login: viewer_1754617445194@test.com"}
+{"level":"info","message":"User logout attempt"}

app/package.json

@@ -50,6 +50,7 @@
     "helmet": "^8.1.0",
     "jsonwebtoken": "^9.0.2",
     "mongoose": "^8.17.0",
+    "node-cron": "^4.2.1",
     "winston": "^3.17.0"
   },
   "devDependencies": {

app/server.js

@@ -4,6 +4,7 @@ import mongoose from 'mongoose';
 import cors from 'cors';
 import helmet from 'helmet';
 import authRoutes from './routes/authRoutes.js';
+import './jobs/tokenCleanupJob.js';
 
 dotenv.config();
 

app/tests/auth.test.js

@@ -1,4 +1,4 @@
-// app/tests/auth.full.test.js
+/* eslint-env mocha */
 import request from 'supertest';
 import { expect } from 'chai';
 import mongoose from 'mongoose';
@@ -74,7 +74,7 @@ describe('Auth API - Full Supertest Suite', function () {
         if (r.note) console.log(`   note: ${r.note}`);
       });
     } finally {
-      // leave DB intact by request (you said you want to inspect data)
+      // leave DB intact by request
       await mongoose.disconnect();
       console.log('Disconnected from MongoDB');
     }
@@ -86,7 +86,6 @@ describe('Auth API - Full Supertest Suite', function () {
       const res = await request(app).get('/health');
       expect(res.status).to.equal(200);
       expect(res.body).to.have.property('status');
-      // Accept both 'OK' and 'Ok' or 'ok' depending on your implementation
       results.push({ name: testName, status: 'passed', note: `status=${res.body.status}` });
     } catch (err) {
       console.error('TEST ERROR - Health check:', err);
@@ -106,6 +105,10 @@ describe('Auth API - Full Supertest Suite', function () {
       expect(res.body).to.have.property('accessToken');
       expect(res.body).to.have.property('refreshToken');
 
+      // 🔹 Update latest tokens so refresh test always uses the fresh DB one
+      adminToken = res.body.accessToken;
+      adminRefreshToken = res.body.refreshToken;
+
       results.push({ name: testName, status: 'passed' });
     } catch (err) {
       console.error('TEST ERROR - Admin login:', err);
@@ -117,7 +120,6 @@ describe('Auth API - Full Supertest Suite', function () {
   it('Register viewer (admin) — POST /auth/register with admin token', async () => {
     const testName = 'Register viewer (admin)';
     try {
-      // ensure uniqueness (we already set viewerEmail unique)
       const res = await request(app)
         .post('/auth/register')
         .set('Authorization', `Bearer ${adminToken}`)
@@ -130,13 +132,10 @@ describe('Auth API - Full Supertest Suite', function () {
           addedBy: adminId
         });
 
-      // 201 expected on create; backend returns 400 if user exists
       expect(res.status).to.equal(201);
       results.push({ name: testName, status: 'passed', note: `created ${viewerEmail}` });
     } catch (err) {
-      // If backend replies with 400 user already exists (shouldn't happen because unique email)
       console.error('TEST ERROR - Register viewer:', err);
-      // capture response body if available (supertest supplies err.response)
       const body = err.response ? err.response.body : undefined;
       results.push({ name: testName, status: 'failed', error: err.message, body });
       expect.fail(err.message);
@@ -157,7 +156,6 @@ describe('Auth API - Full Supertest Suite', function () {
           addedBy: adminId
         });
 
-      // Expect 401 (missing token) or 403 depending on your verifyToken implementation.
       expect([401, 403]).to.include(res.status);
       results.push({ name: testName, status: 'passed', note: `status=${res.status}` });
     } catch (err) {
@@ -173,7 +171,6 @@ describe('Auth API - Full Supertest Suite', function () {
       const res = await request(app).post('/auth/refresh').send({ token: adminRefreshToken });
       expect(res.status).to.equal(200);
       expect(res.body).to.have.property('accessToken');
-      // optionally capture the new refresh token if backend returns it
       results.push({ name: testName, status: 'passed' });
     } catch (err) {
       console.error('TEST ERROR - Refresh token:', err);
@@ -186,7 +183,6 @@ describe('Auth API - Full Supertest Suite', function () {
   it('Viewer cannot call admin-only register — POST /auth/register (viewer token)', async () => {
     const testName = 'Viewer blocked from admin route';
     try {
-      // login viewer first (we created viewer earlier with unique email)
       const logRes = await request(app).post('/auth/login').send({ email: viewerEmail, password: viewerPassword });
       expect(logRes.status).to.equal(200);
       const viewerToken = logRes.body.accessToken;
@@ -202,7 +198,6 @@ describe('Auth API - Full Supertest Suite', function () {
           permissions: []
         });
 
-      // Expect forbidden: 403 (if your role middleware uses 403), or other non-200
       expect(res.status).to.equal(403);
       results.push({ name: testName, status: 'passed' });
     } catch (err) {