tests/unit/security-error-responses.test.ts

/**
 * Security: Error Response Sanitization
 *
 * Verifies that errorResponse() never leaks stack traces, SQL queries,
 * internal file paths, or other sensitive server-side details to callers.
 *
 * Rule from SECURITY-GUIDELINES.md:
 *   "Error responses must NEVER contain stack traces, SQL queries, or internal paths"
 */
import { beforeAll, describe, expect, it, vi } from 'vitest';

// ── Mock next/server before importing the module under test ──────────────────
// NextResponse is a Next.js runtime class unavailable in a plain Node environment.
// We replace it with a minimal shim that captures status + body.

vi.mock('next/server', () => {
  class MockNextResponse {
    readonly status: number;
    private body: unknown;

    constructor(body: unknown, init?: { status?: number }) {
      this.body = body;
      this.status = init?.status ?? 200;
    }

    async json() {
      return this.body;
    }

    static json(body: unknown, init?: { status?: number }) {
      return new MockNextResponse(body, init);
    }
  }

  return { NextResponse: MockNextResponse };
});

// Mock the logger so error-level calls don't pollute test output
vi.mock('@/lib/logger', () => ({
  logger: {
    error: vi.fn(),
    warn: vi.fn(),
    info: vi.fn(),
  },
}));

import {
  AppError,
  ForbiddenError,
  NotFoundError,
  RateLimitError,
  ValidationError,
  errorResponse,
} from '@/lib/errors';

// ─────────────────────────────────────────────────────────────────────────────

describe('Error response security — AppError subclasses', () => {
  it('AppError returns correct status without leaking constructor args', async () => {
    const error = new AppError(400, 'Bad request', 'BAD_REQUEST');
    const response = errorResponse(error);
    expect(response.status).toBe(400);
    const body = await response.json();
    expect(body.error).toBe('Bad request');
    expect(body.code).toBe('BAD_REQUEST');
    // Stack trace must never appear in the response body
    expect(JSON.stringify(body)).not.toMatch(/at\s+\w+/); // no call-site lines
    expect(JSON.stringify(body)).not.toContain('node_modules');
  });

  it('NotFoundError returns 404 with generic message, not entity internals', async () => {
    const error = new NotFoundError('Client');
    const response = errorResponse(error);
    expect(response.status).toBe(404);
    const body = await response.json();
    expect(body.error).toBe('Client not found');
    expect(body.code).toBe('NOT_FOUND');
    expect(JSON.stringify(body)).not.toContain('stack');
  });

  it('ForbiddenError returns 403', async () => {
    const error = new ForbiddenError();
    const response = errorResponse(error);
    expect(response.status).toBe(403);
    const body = await response.json();
    expect(body.code).toBe('FORBIDDEN');
  });

  it('RateLimitError returns 429 with retryAfter but no stack', async () => {
    const error = new RateLimitError(60);
    const response = errorResponse(error);
    expect(response.status).toBe(429);
    const body = await response.json();
    expect(body.retryAfter).toBe(60);
    expect(JSON.stringify(body)).not.toMatch(/stack|node_modules/i);
  });

  it('ValidationError returns 400 with details array, no internal paths', async () => {
    const error = new ValidationError('Invalid input', [
      { field: 'email', message: 'Invalid email format' },
    ]);
    const response = errorResponse(error);
    expect(response.status).toBe(400);
    const body = await response.json();
    expect(body.details).toHaveLength(1);
    expect(body.details[0].field).toBe('email');
    expect(JSON.stringify(body)).not.toContain('src/');
    expect(JSON.stringify(body)).not.toContain('G:\\');
  });
});

describe('Error response security — unknown / native errors', () => {
  it('native Error with SQL content returns generic 500', async () => {
    const error = new Error(
      "SELECT * FROM users WHERE id = 1; DROP TABLE users;--",
    );
    const response = errorResponse(error);
    expect(response.status).toBe(500);
    const body = await response.json();
    expect(body.error).toBe('Internal server error');
    expect(JSON.stringify(body)).not.toContain('SELECT');
    expect(JSON.stringify(body)).not.toContain('DROP TABLE');
  });

  it('native Error with Windows file path returns generic 500 without path', async () => {
    const error = new Error(
      'at Object.<anonymous> (G:\\Repos\\new-pn-crm\\src\\lib\\db\\index.ts:15:3)',
    );
    const response = errorResponse(error);
    expect(response.status).toBe(500);
    const body = await response.json();
    expect(body.error).toBe('Internal server error');
    expect(JSON.stringify(body)).not.toContain('G:\\');
    expect(JSON.stringify(body)).not.toContain('src\\lib');
  });

  it('native Error with node_modules path returns generic 500 without path', async () => {
    const error = new Error(
      'ENOENT: no such file at /app/node_modules/pg/lib/connection.js',
    );
    const response = errorResponse(error);
    expect(response.status).toBe(500);
    const body = await response.json();
    expect(body.error).toBe('Internal server error');
    expect(JSON.stringify(body)).not.toContain('node_modules');
    expect(JSON.stringify(body)).not.toContain('ENOENT');
  });

  it('native Error with Postgres relation message returns generic 500', async () => {
    const error = new Error('relation "users" does not exist');
    const response = errorResponse(error);
    expect(response.status).toBe(500);
    const body = await response.json();
    expect(body.error).toBe('Internal server error');
    expect(JSON.stringify(body)).not.toContain('relation');
    expect(JSON.stringify(body)).not.toContain('"users"');
  });

  it('null thrown value returns generic 500', async () => {
    const response = errorResponse(null);
    expect(response.status).toBe(500);
    const body = await response.json();
    expect(body.error).toBe('Internal server error');
  });

  it('string thrown returns generic 500', async () => {
    const response = errorResponse('something went wrong internally');
    expect(response.status).toBe(500);
    const body = await response.json();
    expect(body.error).toBe('Internal server error');
    // The raw string must not appear in the response
    expect(JSON.stringify(body)).not.toContain('something went wrong internally');
  });
});

describe('Error response security — ZodError', () => {
  it('ZodError returns 400 with VALIDATION_ERROR code', async () => {
    const { ZodError, ZodIssueCode } = await import('zod');
    const error = new ZodError([
      {
        code: ZodIssueCode.invalid_type,
        expected: 'string',
        received: 'number',
        path: ['name'],
        message: 'Expected string, received number',
      },
    ]);
    const response = errorResponse(error);
    expect(response.status).toBe(400);
    const body = await response.json();
    expect(body.code).toBe('VALIDATION_ERROR');
    expect(body.details).toBeDefined();
    expect(Array.isArray(body.details)).toBe(true);
  });

  it('ZodError details contain field + message, no internal paths', async () => {
    const { ZodError, ZodIssueCode } = await import('zod');
    const error = new ZodError([
      {
        code: ZodIssueCode.too_small,
        minimum: 1,
        type: 'string',
        inclusive: true,
        path: ['fullName'],
        message: 'String must contain at least 1 character(s)',
      },
    ]);
    const response = errorResponse(error);
    const body = await response.json();
    const bodyStr = JSON.stringify(body);
    expect(bodyStr).not.toContain('src/');
    expect(bodyStr).not.toContain('node_modules');
    expect(bodyStr).not.toContain('.ts:');
    // The field path is safe to expose (it's user-visible)
    expect(body.details[0].field).toBe('fullName');
  });
});

describe('Error response security — response shape invariants', () => {
  it('every AppError response body follows { error, code } shape', async () => {
    const errors = [
      new AppError(400, 'Bad request', 'BAD_REQUEST'),
      new NotFoundError('Invoice'),
      new ForbiddenError('Cannot delete'),
      new RateLimitError(30),
    ];
    for (const err of errors) {
      const body = await errorResponse(err).json();
      expect(typeof body.error).toBe('string');
      expect(body.error.length).toBeGreaterThan(0);
      // Stack must never appear
      expect(body).not.toHaveProperty('stack');
    }
  });

  it('500 response body has exactly the error key and nothing else', async () => {
    const response = errorResponse(new Error('db connection refused'));
    const body = await response.json();
    expect(Object.keys(body)).toEqual(['error']);
    expect(body.error).toBe('Internal server error');
  });
});
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`/**`
			`* Security: Error Response Sanitization`
			`*`
			`* Verifies that errorResponse() never leaks stack traces, SQL queries,`
			`* internal file paths, or other sensitive server-side details to callers.`
			`*`
			`* Rule from SECURITY-GUIDELINES.md:`
			`* "Error responses must NEVER contain stack traces, SQL queries, or internal paths"`
			`*/`
			`import { beforeAll, describe, expect, it, vi } from 'vitest';`

			`// ── Mock next/server before importing the module under test ──────────────────`
			`// NextResponse is a Next.js runtime class unavailable in a plain Node environment.`
			`// We replace it with a minimal shim that captures status + body.`

			`vi.mock('next/server', () => {`
			`class MockNextResponse {`
			`readonly status: number;`
			`private body: unknown;`

			`constructor(body: unknown, init?: { status?: number }) {`
			`this.body = body;`
			`this.status = init?.status ?? 200;`
			`}`

			`async json() {`
			`return this.body;`
			`}`

			`static json(body: unknown, init?: { status?: number }) {`
			`return new MockNextResponse(body, init);`
			`}`
			`}`

			`return { NextResponse: MockNextResponse };`
			`});`

			`// Mock the logger so error-level calls don't pollute test output`
			`vi.mock('@/lib/logger', () => ({`
			`logger: {`
			`error: vi.fn(),`
			`warn: vi.fn(),`
			`info: vi.fn(),`
			`},`
			`}));`

			`import {`
			`AppError,`
			`ForbiddenError,`
			`NotFoundError,`
			`RateLimitError,`
			`ValidationError,`
			`errorResponse,`
			`} from '@/lib/errors';`

			`// ─────────────────────────────────────────────────────────────────────────────`

			`describe('Error response security — AppError subclasses', () => {`
			`it('AppError returns correct status without leaking constructor args', async () => {`
			`const error = new AppError(400, 'Bad request', 'BAD_REQUEST');`
			`const response = errorResponse(error);`
			`expect(response.status).toBe(400);`
			`const body = await response.json();`
			`expect(body.error).toBe('Bad request');`
			`expect(body.code).toBe('BAD_REQUEST');`
			`// Stack trace must never appear in the response body`
			`expect(JSON.stringify(body)).not.toMatch(/at\s+\w+/); // no call-site lines`
			`expect(JSON.stringify(body)).not.toContain('node_modules');`
			`});`

			`it('NotFoundError returns 404 with generic message, not entity internals', async () => {`
			`const error = new NotFoundError('Client');`
			`const response = errorResponse(error);`
			`expect(response.status).toBe(404);`
			`const body = await response.json();`
			`expect(body.error).toBe('Client not found');`
			`expect(body.code).toBe('NOT_FOUND');`
			`expect(JSON.stringify(body)).not.toContain('stack');`
			`});`

			`it('ForbiddenError returns 403', async () => {`
			`const error = new ForbiddenError();`
			`const response = errorResponse(error);`
			`expect(response.status).toBe(403);`
			`const body = await response.json();`
			`expect(body.code).toBe('FORBIDDEN');`
			`});`

			`it('RateLimitError returns 429 with retryAfter but no stack', async () => {`
			`const error = new RateLimitError(60);`
			`const response = errorResponse(error);`
			`expect(response.status).toBe(429);`
			`const body = await response.json();`
			`expect(body.retryAfter).toBe(60);`
			`expect(JSON.stringify(body)).not.toMatch(/stack\|node_modules/i);`
			`});`

			`it('ValidationError returns 400 with details array, no internal paths', async () => {`
			`const error = new ValidationError('Invalid input', [`
			`{ field: 'email', message: 'Invalid email format' },`
			`]);`
			`const response = errorResponse(error);`
			`expect(response.status).toBe(400);`
			`const body = await response.json();`
			`expect(body.details).toHaveLength(1);`
			`expect(body.details[0].field).toBe('email');`
			`expect(JSON.stringify(body)).not.toContain('src/');`
			`expect(JSON.stringify(body)).not.toContain('G:\\');`
			`});`
			`});`

			`describe('Error response security — unknown / native errors', () => {`
			`it('native Error with SQL content returns generic 500', async () => {`
			`const error = new Error(`
			`"SELECT * FROM users WHERE id = 1; DROP TABLE users;--",`
			`);`
			`const response = errorResponse(error);`
			`expect(response.status).toBe(500);`
			`const body = await response.json();`
			`expect(body.error).toBe('Internal server error');`
			`expect(JSON.stringify(body)).not.toContain('SELECT');`
			`expect(JSON.stringify(body)).not.toContain('DROP TABLE');`
			`});`

			`it('native Error with Windows file path returns generic 500 without path', async () => {`
			`const error = new Error(`
			`'at Object.<anonymous> (G:\\Repos\\new-pn-crm\\src\\lib\\db\\index.ts:15:3)',`
			`);`
			`const response = errorResponse(error);`
			`expect(response.status).toBe(500);`
			`const body = await response.json();`
			`expect(body.error).toBe('Internal server error');`
			`expect(JSON.stringify(body)).not.toContain('G:\\');`
			`expect(JSON.stringify(body)).not.toContain('src\\lib');`
			`});`

			`it('native Error with node_modules path returns generic 500 without path', async () => {`
			`const error = new Error(`
			`'ENOENT: no such file at /app/node_modules/pg/lib/connection.js',`
			`);`
			`const response = errorResponse(error);`
			`expect(response.status).toBe(500);`
			`const body = await response.json();`
			`expect(body.error).toBe('Internal server error');`
			`expect(JSON.stringify(body)).not.toContain('node_modules');`
			`expect(JSON.stringify(body)).not.toContain('ENOENT');`
			`});`

			`it('native Error with Postgres relation message returns generic 500', async () => {`
			`const error = new Error('relation "users" does not exist');`
			`const response = errorResponse(error);`
			`expect(response.status).toBe(500);`
			`const body = await response.json();`
			`expect(body.error).toBe('Internal server error');`
			`expect(JSON.stringify(body)).not.toContain('relation');`
			`expect(JSON.stringify(body)).not.toContain('"users"');`
			`});`

			`it('null thrown value returns generic 500', async () => {`
			`const response = errorResponse(null);`
			`expect(response.status).toBe(500);`
			`const body = await response.json();`
			`expect(body.error).toBe('Internal server error');`
			`});`

			`it('string thrown returns generic 500', async () => {`
			`const response = errorResponse('something went wrong internally');`
			`expect(response.status).toBe(500);`
			`const body = await response.json();`
			`expect(body.error).toBe('Internal server error');`
			`// The raw string must not appear in the response`
			`expect(JSON.stringify(body)).not.toContain('something went wrong internally');`
			`});`
			`});`

			`describe('Error response security — ZodError', () => {`
			`it('ZodError returns 400 with VALIDATION_ERROR code', async () => {`
			`const { ZodError, ZodIssueCode } = await import('zod');`
			`const error = new ZodError([`
			`{`
			`code: ZodIssueCode.invalid_type,`
			`expected: 'string',`
			`received: 'number',`
			`path: ['name'],`
			`message: 'Expected string, received number',`
			`},`
			`]);`
			`const response = errorResponse(error);`
			`expect(response.status).toBe(400);`
			`const body = await response.json();`
			`expect(body.code).toBe('VALIDATION_ERROR');`
			`expect(body.details).toBeDefined();`
			`expect(Array.isArray(body.details)).toBe(true);`
			`});`

			`it('ZodError details contain field + message, no internal paths', async () => {`
			`const { ZodError, ZodIssueCode } = await import('zod');`
			`const error = new ZodError([`
			`{`
			`code: ZodIssueCode.too_small,`
			`minimum: 1,`
			`type: 'string',`
			`inclusive: true,`
			`path: ['fullName'],`
			`message: 'String must contain at least 1 character(s)',`
			`},`
			`]);`
			`const response = errorResponse(error);`
			`const body = await response.json();`
			`const bodyStr = JSON.stringify(body);`
			`expect(bodyStr).not.toContain('src/');`
			`expect(bodyStr).not.toContain('node_modules');`
			`expect(bodyStr).not.toContain('.ts:');`
			`// The field path is safe to expose (it's user-visible)`
			`expect(body.details[0].field).toBe('fullName');`
			`});`
			`});`

			`describe('Error response security — response shape invariants', () => {`
			`it('every AppError response body follows { error, code } shape', async () => {`
			`const errors = [`
			`new AppError(400, 'Bad request', 'BAD_REQUEST'),`
			`new NotFoundError('Invoice'),`
			`new ForbiddenError('Cannot delete'),`
			`new RateLimitError(30),`
			`];`
			`for (const err of errors) {`
			`const body = await errorResponse(err).json();`
			`expect(typeof body.error).toBe('string');`
			`expect(body.error.length).toBeGreaterThan(0);`
			`// Stack must never appear`
			`expect(body).not.toHaveProperty('stack');`
			`}`
			`});`

			`it('500 response body has exactly the error key and nothing else', async () => {`
			`const response = errorResponse(new Error('db connection refused'));`
			`const body = await response.json();`
			`expect(Object.keys(body)).toEqual(['error']);`
			`expect(body.error).toBe('Internal server error');`
			`});`
			`});`