feat(api): server-authoritative session start/stop/discard with ownership scoping

2026-06-17 15:40:07 +02:00
parent 5e61b7720d
commit 940b06fd91
3 changed files with 317 additions and 0 deletions
--- a/apps/api/test/sessions.test.ts
+++ b/apps/api/test/sessions.test.ts
@@ -0,0 +1,209 @@
+import { describe, it, expect } from 'vitest';
+import type { Hono } from 'hono';
+import { createApp } from '../src/app';
+import { db } from '../src/db/client';
+import { workSessions } from '../src/db/schema';
+import { eq } from 'drizzle-orm';
+
+const json = { 'content-type': 'application/json' };
+
+// Sign up + sign in a user, returning the bearer token.
+async function authToken(app: Hono, email: string): Promise<string> {
+  const password = 'sterk-wachtwoord-123';
+  await app.request('/api/auth/sign-up/email', {
+    method: 'POST',
+    headers: json,
+    body: JSON.stringify({ email, password, name: email.split('@')[0] }),
+  });
+  const signin = await app.request('/api/auth/sign-in/email', {
+    method: 'POST',
+    headers: json,
+    body: JSON.stringify({ email, password }),
+  });
+  const token = signin.headers.get('set-auth-token');
+  if (!token) throw new Error('no token');
+  return token;
+}
+
+function bearer(token: string): Record<string, string> {
+  return { authorization: `Bearer ${token}`, 'content-type': 'application/json' };
+}
+
+// Create an activity via the API and return its id.
+async function createActivity(app: Hono, token: string, name: string): Promise<number> {
+  const res = await app.request('/api/activities', {
+    method: 'POST',
+    headers: bearer(token),
+    body: JSON.stringify({ name, insole_types: ['Kurk', 'Berk', '3D'] }),
+  });
+  const body = await res.json();
+  return body.id as number;
+}
+
+describe('session lifecycle', () => {
+  it('401s start/stop/discard without a token', async () => {
+    const app = createApp();
+
+    const start = await app.request('/api/sessions/start', {
+      method: 'POST',
+      headers: json,
+      body: JSON.stringify({ activity_id: 1, insole_type: 'Kurk', pair_count: 2 }),
+    });
+    expect(start.status).toBe(401);
+
+    const stop = await app.request('/api/sessions/1/stop', { method: 'POST' });
+    expect(stop.status).toBe(401);
+
+    const discard = await app.request('/api/sessions/1/discard', { method: 'POST' });
+    expect(discard.status).toBe(401);
+  });
+
+  it('starts an active session', async () => {
+    const app = createApp();
+    const token = await authToken(app, 'sess-start@example.com');
+    const activityId = await createActivity(app, token, 'Frezen');
+
+    const res = await app.request('/api/sessions/start', {
+      method: 'POST',
+      headers: bearer(token),
+      body: JSON.stringify({ activity_id: activityId, insole_type: 'Kurk', pair_count: 2 }),
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(typeof body.id).toBe('number');
+    expect(body.activity_id).toBe(activityId);
+    expect(body.insole_type).toBe('Kurk');
+    expect(body.pair_count).toBe(2);
+    expect(body.status).toBe('active');
+    expect(body.source).toBe('app');
+    expect(body.end_time).toBeNull();
+    expect(body.duration_seconds).toBeNull();
+    expect(typeof body.start_time).toBe('string');
+    expect(typeof body.user_id).toBe('string');
+  });
+
+  it('400s start with a bad body', async () => {
+    const app = createApp();
+    const token = await authToken(app, 'sess-badbody@example.com');
+
+    const res = await app.request('/api/sessions/start', {
+      method: 'POST',
+      headers: bearer(token),
+      body: JSON.stringify({}),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  it('404s start for a missing activity', async () => {
+    const app = createApp();
+    const token = await authToken(app, 'sess-missingact@example.com');
+
+    const res = await app.request('/api/sessions/start', {
+      method: 'POST',
+      headers: bearer(token),
+      body: JSON.stringify({ activity_id: 999999, insole_type: 'Kurk', pair_count: 2 }),
+    });
+    expect(res.status).toBe(404);
+  });
+
+  it('completes a session and computes duration', async () => {
+    const app = createApp();
+    const token = await authToken(app, 'sess-complete@example.com');
+    const activityId = await createActivity(app, token, 'Slijpen');
+
+    const startRes = await app.request('/api/sessions/start', {
+      method: 'POST',
+      headers: bearer(token),
+      body: JSON.stringify({ activity_id: activityId, insole_type: 'Berk', pair_count: 2 }),
+    });
+    const started = await startRes.json();
+
+    // Make the duration deterministic: backdate the start time by exactly 5s.
+    await db
+      .update(workSessions)
+      .set({ startTime: new Date(Date.now() - 5000) })
+      .where(eq(workSessions.id, started.id));
+
+    const res = await app.request(`/api/sessions/${started.id}/stop`, {
+      method: 'POST',
+      headers: bearer(token),
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.status).toBe('completed');
+    expect(body.end_time).not.toBeNull();
+    expect(body.duration_seconds).toBe(5);
+  });
+
+  it('409s stopping an already-completed session', async () => {
+    const app = createApp();
+    const token = await authToken(app, 'sess-doublestop@example.com');
+    const activityId = await createActivity(app, token, 'Bekleden');
+
+    const startRes = await app.request('/api/sessions/start', {
+      method: 'POST',
+      headers: bearer(token),
+      body: JSON.stringify({ activity_id: activityId, insole_type: 'Kurk', pair_count: 2 }),
+    });
+    const started = await startRes.json();
+
+    const first = await app.request(`/api/sessions/${started.id}/stop`, {
+      method: 'POST',
+      headers: bearer(token),
+    });
+    expect(first.status).toBe(200);
+
+    const second = await app.request(`/api/sessions/${started.id}/stop`, {
+      method: 'POST',
+      headers: bearer(token),
+    });
+    expect(second.status).toBe(409);
+  });
+
+  it('discards an active session', async () => {
+    const app = createApp();
+    const token = await authToken(app, 'sess-discard@example.com');
+    const activityId = await createActivity(app, token, 'Afwerken');
+
+    const startRes = await app.request('/api/sessions/start', {
+      method: 'POST',
+      headers: bearer(token),
+      body: JSON.stringify({ activity_id: activityId, insole_type: 'Kurk', pair_count: 2 }),
+    });
+    const started = await startRes.json();
+
+    const res = await app.request(`/api/sessions/${started.id}/discard`, {
+      method: 'POST',
+      headers: bearer(token),
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.status).toBe('discarded');
+    expect(body.duration_seconds).toBeNull();
+  });
+
+  it("does not let user B stop user A's session", async () => {
+    const app = createApp();
+    const tokenA = await authToken(app, 'sess-ownerA@example.com');
+    const tokenB = await authToken(app, 'sess-ownerB@example.com');
+    const activityId = await createActivity(app, tokenA, 'Printen');
+
+    const startRes = await app.request('/api/sessions/start', {
+      method: 'POST',
+      headers: bearer(tokenA),
+      body: JSON.stringify({ activity_id: activityId, insole_type: '3D', pair_count: 2 }),
+    });
+    const started = await startRes.json();
+
+    const res = await app.request(`/api/sessions/${started.id}/stop`, {
+      method: 'POST',
+      headers: bearer(tokenB),
+    });
+    expect(res.status).toBe(404);
+
+    // Verify via db the session is still active.
+    const [row] = await db.select().from(workSessions).where(eq(workSessions.id, started.id));
+    expect(row.status).toBe('active');
+    expect(row.endTime).toBeNull();
+  });
+});