vrr/joplock
2
0
Fork 0
mirror of https://github.com/abort-retry-ignore/joplock.git synced 2026-05-22 19:57:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
joplock/tests/createServer.test.js

3035 lines
116 KiB
JavaScript
Raw Permalink Blame History

const test = require('node:test');
const assert = require('node:assert/strict');
const fs = require('fs');
const os = require('os');
const path = require('path');
const http = require('http');
const { createRateLimitService } = require('../app/auth/rateLimitService');
const { createServer } = require('../app/createServer');
const request = (port, options = {}) => {
const {
path: requestPath = '/api/web/me',
method = 'GET',
headers = { Cookie: 'sessionId=test-session' },
body = null,
rawBody = null,
} = options;
return new Promise((resolve, reject) => {
const req = http.request({
hostname: '127.0.0.1',
port,
path: requestPath,
method,
headers,
}, res => {
const chunks = [];
res.on('data', chunk => chunks.push(chunk));
res.on('end', () => {
const buf = Buffer.concat(chunks);
resolve({ statusCode: res.statusCode, body: buf.toString('utf8'), rawBody: buf, headers: res.headers });
});
});
if (rawBody) {
req.write(rawBody);
} else if (body) {
req.write(body);
}
req.end();
});
};
const makePublicDir = () => {
const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'joplock-public-'));
// Copy htmx.min.js stub so static file serving works
fs.writeFileSync(path.join(dir, 'htmx.min.js'), '// stub');
return dir;
};
const defaultMocks = (overrides = {}) => ({
publicDir: overrides.publicDir || makePublicDir(),
joplinPublicBasePath: overrides.joplinPublicBasePath !== undefined ? overrides.joplinPublicBasePath : '/joplin',
joplinPublicBaseUrl: overrides.joplinPublicBaseUrl || 'http://localhost:5444',
joplinServerPublicUrl: overrides.joplinServerPublicUrl || 'http://localhost:5444/joplin',
joplinServerOrigin: overrides.joplinServerOrigin || 'http://server:22300',
adminService: overrides.adminService || null,
adminEmail: overrides.adminEmail || '',
ignoreAdminMfa: overrides.ignoreAdminMfa || false,
itemService: {
foldersByUserId: async () => [],
folderByUserIdAndJopId: async () => null,
notesByUserId: async () => [],
noteHeadersByUserId: async () => [],
noteHeadersByFolder: async () => [],
folderNoteCountsByUserId: async () => new Map([['__all__', 0], ['__trash__', 0]]),
noteByUserIdAndJopId: async () => null,
searchNotes: async () => [],
resourceBlobByUserId: async () => null,
resourceMetaByUserId: async () => null,
...overrides.itemService,
},
itemWriteService: {
createFolder: async () => ({ id: 'folder-created' }),
deleteFolder: async () => {},
updateFolder: async () => ({ id: 'folder-updated' }),
createNote: async () => ({ id: 'note-created' }),
deleteNote: async () => {},
trashNote: async () => {},
restoreNote: async () => {},
updateNote: async () => ({ id: 'note-updated' }),
createResource: async () => ({ id: 'res-created' }),
...overrides.itemWriteService,
},
sessionService: {
userBySessionId: async sessionId => {
if (sessionId === 'test-session') return { id: 'user-1', email: 'user@example.com', sessionId };
return null;
},
touchSession: async () => {},
getLastSeen: async () => null,
deleteSession: async () => {},
...overrides.sessionService,
},
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 15, codeFontSize: 12, noteMonospace: false, resumeLastNote: false, lastNoteId: '', lastNoteFolderId: '', dateFormat: 'MMM-DD-YY', datetimeFormat: 'YYYY-MM-DD HH:mm', autoLogout: false, autoLogoutMinutes: 15 }),
saveSettings: async (_userId, settings) => settings,
appSettings: async () => ({ authRateLimitAttempts: 20 }),
saveAppSettings: async settings => settings,
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
...overrides.settingsService,
},
historyService: {
saveSnapshot: async () => {},
listSnapshots: async () => [],
getSnapshot: async () => null,
...overrides.historyService,
},
backupService: overrides.backupService || {
isConfigured: () => true,
isBusy: () => false,
activeOperation: () => '',
listBackups: async () => [],
startBackupJob: async () => ({ name: 'joplock-backup.dump', state: 'running', type: 'backup' }),
backupPath: async () => ({ path: path.join(os.tmpdir(), 'joplock-test-backup.dump'), size: 4, name: 'joplock-test-backup.dump', createdTime: Date.now() }),
startRestoreJob: async () => ({ name: 'joplock-test-backup.dump', state: 'running', type: 'restore' }),
currentStatus: () => ({ state: 'idle', type: '', message: '', error: '', stderrTail: '' }),
waitForIdle: async () => ({ state: 'idle' }),
},
recoveryService: overrides.recoveryService || {
isEnabled: () => false,
createSession: () => '',
validateSession: () => false,
endSession: () => {},
},
rateLimitService: overrides.rateLimitService,
vaultService: overrides.vaultService || null,
database: overrides.database || { query: async () => ({ rows: [] }) },
});
const withServer = async (mocks, fn) => {
const server = createServer(defaultMocks(mocks));
await new Promise(resolve => server.listen(0, '127.0.0.1', resolve));
const port = server.address().port;
try {
await fn(port);
} finally {
await new Promise(resolve => server.close(resolve));
}
};
// --- JSON API tests ---
test('GET /api/web/me returns current user for valid session', async () => {
await withServer({}, async port => {
const res = await request(port);
assert.equal(res.statusCode, 200);
const payload = JSON.parse(res.body);
assert.equal(payload.user.email, 'user@example.com');
});
});
test('GET /api/web/me returns 401 for invalid session', async () => {
await withServer({}, async port => {
const res = await request(port, { headers: { Cookie: 'sessionId=bad' } });
assert.equal(res.statusCode, 401);
});
});
test('GET /api/web/folders returns folders', async () => {
await withServer({
itemService: {
foldersByUserId: async () => [{ id: 'f1', title: 'Test', parentId: '', createdTime: 0, updatedTime: 0 }],
},
}, async port => {
const res = await request(port, { path: '/api/web/folders' });
assert.equal(res.statusCode, 200);
const payload = JSON.parse(res.body);
assert.equal(payload.items.length, 1);
assert.equal(payload.items[0].id, 'f1');
});
});
test('POST /api/web/folders creates folder', async () => {
let createdFolder = null;
await withServer({
itemWriteService: {
createFolder: async (_sid, folder) => { createdFolder = folder; return { id: 'f-new' }; },
},
itemService: {
folderByUserIdAndJopId: async () => ({ id: 'f-new', title: 'New', parentId: '' }),
},
}, async port => {
const res = await request(port, {
path: '/api/web/folders',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/json' },
body: JSON.stringify({ title: 'New' }),
});
assert.equal(res.statusCode, 201);
assert.equal(createdFolder.title, 'New');
});
});
test('DELETE /api/web/folders/:id moves notes to General before deleting notebook', async () => {
const moved = [];
let createdFolder = null;
let deletedId = null;
await withServer({
itemService: {
folderByUserIdAndJopId: async (_uid, id) => id === 'f1' ? { id: 'f1', title: 'Work', parentId: '' } : null,
foldersByUserId: async () => [{ id: 'f1', title: 'Work', parentId: '' }],
notesByUserId: async (_uid, options = {}) => options.folderId === 'f1' ? [
{ id: 'n1', title: 'Note 1', body: 'A', parentId: 'f1', createdTime: 1 },
{ id: 'n2', title: 'Note 2', body: 'B', parentId: 'f1', createdTime: 2 },
] : [],
},
itemWriteService: {
createFolder: async (_sid, folder) => { createdFolder = folder; return { id: 'general-id' }; },
updateNote: async (_sid, existing, updates) => { moved.push({ id: existing.id, parentId: updates.parentId }); return { id: existing.id }; },
deleteFolder: async (_sid, id) => { deletedId = id; },
},
}, async port => {
const res = await request(port, {
path: '/api/web/folders/f1',
method: 'DELETE',
});
assert.equal(res.statusCode, 204);
assert.deepEqual(createdFolder, { title: 'General', parentId: '' });
assert.deepEqual(moved, [
{ id: 'n1', parentId: 'general-id' },
{ id: 'n2', parentId: 'general-id' },
]);
assert.equal(deletedId, 'f1');
});
});
test('PUT /api/web/notes/:id updates note', async () => {
const existing = { id: 'n1', title: 'Old', body: 'Old body', parentId: 'f1', createdTime: 1000 };
let updateArgs = null;
await withServer({
itemService: {
noteByUserIdAndJopId: async () => existing,
},
itemWriteService: {
updateNote: async (_sid, ex, updates) => { updateArgs = { ex, updates }; return { id: ex.id }; },
},
}, async port => {
const res = await request(port, {
path: '/api/web/notes/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/json' },
body: JSON.stringify({ title: 'New', body: 'New body' }),
});
assert.equal(res.statusCode, 200);
assert.equal(updateArgs.updates.title, 'New');
assert.equal(updateArgs.updates.body, 'New body');
});
});
test('PUT /api/web/notes/:id returns 404 for missing note', async () => {
await withServer({
itemService: { noteByUserIdAndJopId: async () => null },
}, async port => {
const res = await request(port, {
path: '/api/web/notes/missing',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/json' },
body: JSON.stringify({ title: 'X' }),
});
assert.equal(res.statusCode, 404);
});
});
test('POST /api/web/notes rejects plaintext create inside vault', async () => {
let created = false;
await withServer({
itemWriteService: {
createNote: async () => { created = true; return { id: 'n1' }; },
},
vaultService: {
getVaultByFolderId: async (_uid, folderId) => folderId === 'vault-1' ? { folderId: 'vault-1' } : null,
getVaultFolderIdSet: async () => new Set(['vault-1']),
},
}, async port => {
const res = await request(port, {
path: '/api/web/notes',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/json' },
body: JSON.stringify({ title: 'Secret', body: 'plain body', parentId: 'vault-1' }),
});
assert.equal(res.statusCode, 400);
assert.equal(created, false);
assert.ok(JSON.parse(res.body).error.includes('Vault notes must be saved encrypted'));
});
});
test('PUT /api/web/notes/:id rejects plaintext update into vault', async () => {
let updated = false;
await withServer({
itemService: {
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'Draft', body: 'plain body', parentId: 'f1', createdTime: 1000 }),
},
itemWriteService: {
updateNote: async () => { updated = true; return { id: 'n1' }; },
},
vaultService: {
getVaultByFolderId: async (_uid, folderId) => folderId === 'vault-1' ? { folderId: 'vault-1' } : null,
getVaultFolderIdSet: async () => new Set(['vault-1']),
},
}, async port => {
const res = await request(port, {
path: '/api/web/notes/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/json' },
body: JSON.stringify({ title: 'Draft', body: 'plain body', parentId: 'vault-1' }),
});
assert.equal(res.statusCode, 400);
assert.equal(updated, false);
assert.ok(JSON.parse(res.body).error.includes('Vault notes must be saved encrypted'));
});
});
// --- htmx fragment tests ---
test('GET /fragments/nav returns HTML folder-note tree', async () => {
await withServer({
itemService: {
foldersByUserId: async () => [
{ id: 'f1', title: 'Folder 1', parentId: '', createdTime: 0, updatedTime: 0 },
],
noteHeadersByUserId: async () => [
{ id: 'n1', title: 'Note 1', parentId: 'f1', updatedTime: 0 },
],
searchNotes: async () => [
{ id: 'n1', title: 'Note 1', parentId: 'f1', updatedTime: 0 },
],
},
}, async port => {
const res = await request(port, { path: '/fragments/nav?q=Note' });
assert.equal(res.statusCode, 200);
assert.ok(res.headers['content-type'].includes('text/html'));
assert.ok(res.body.includes('Search Results'));
assert.ok(!res.body.includes('All Notes'));
assert.ok(!res.body.includes('Folder 1'));
assert.ok(res.body.includes('Note 1'));
assert.ok(res.body.includes('id="nav-search"'));
assert.ok(res.body.includes('class="nav-search-form"'));
assert.ok(res.body.includes('🔍'));
assert.ok(res.body.includes('value="Note"'));
assert.ok(res.body.includes('hx-get="/fragments/editor/n1?currentFolderId=__search_results__"'));
});
});
test('GET /fragments/editor/:id preserves current folder context', async () => {
await withServer({
itemService: {
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'Test Note', body: 'Hello world', parentId: 'f1', createdTime: 1000, updatedTime: 2000 }),
foldersByUserId: async () => [{ id: 'f1', title: 'Folder 1', parentId: '' }],
},
}, async port => {
const res = await request(port, { path: '/fragments/editor/n1?currentFolderId=__all_notes__' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('name="currentFolderId" value="__all_notes__"'));
});
});
test('GET /fragments/editor/:id returns HTML editor', async () => {
await withServer({
itemService: {
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'Test Note', body: 'Hello world', parentId: 'f1', createdTime: 1000, updatedTime: 2000 }),
},
}, async port => {
const res = await request(port, { path: '/fragments/editor/n1' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('hx-put="/fragments/editor/n1"'));
assert.ok(res.body.includes('Test Note'));
assert.ok(res.body.includes('Hello world'));
assert.ok(res.body.includes('hx-trigger="joplock:save"'));
assert.ok(res.body.includes('name="baseUpdatedTime" value="2000"'));
});
});
test('PUT /fragments/editor/:id autosaves and returns status', async () => {
let savedUpdates = null;
const existing = { id: 'n1', title: 'Old', body: 'Old', parentId: 'f1', createdTime: 1000, updatedTime: 1000 };
let callCount = 0;
await withServer({
itemService: {
noteByUserIdAndJopId: async () => { callCount += 1; return callCount === 1 ? existing : { ...existing, title: 'Updated Title', body: 'Updated body', updatedTime: 2000 }; },
foldersByUserId: async () => [{ id: 'f1', title: 'Folder 1', parentId: '' }],
},
itemWriteService: {
updateNote: async (_sid, _ex, updates) => { savedUpdates = updates; return { id: 'n1' }; },
},
}, async port => {
const res = await request(port, {
path: '/fragments/editor/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'title=Updated+Title&body=Updated+body&baseUpdatedTime=1000&currentFolderId=__all_notes__',
});
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('Saved'));
assert.ok(res.body.includes('id="nav-panel" hx-swap-oob="innerHTML"'), 'should refresh nav panel');
assert.ok(res.body.includes('id="editor-sync-state" hx-swap-oob="outerHTML"'));
assert.ok(res.body.includes('name="baseUpdatedTime" value="2000"'));
// Nav now lazy-loads notes; folder rows are present but note items are fetched on demand
assert.ok(res.body.includes('Folder 1'));
assert.equal(savedUpdates.title, 'Updated Title');
assert.equal(savedUpdates.body, 'Updated body');
});
});
test('PUT /fragments/editor/:id returns conflict status fragment when note changed remotely', async () => {
await withServer({
itemService: { noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'Remote', body: 'Remote body', parentId: 'f1', createdTime: 1000, updatedTime: 2000 }) },
itemWriteService: {
updateNote: async () => { throw new Error('should not save'); },
},
}, async port => {
const res = await request(port, {
path: '/fragments/editor/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'title=Updated+Title&body=Updated+body&baseUpdatedTime=1000',
});
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('Conflict'));
assert.ok(res.body.includes('Overwrite'));
assert.ok(res.body.includes('Create copy'));
});
});
test('PUT /fragments/editor/:id can create copy on conflict', async () => {
let createdArgs = null;
await withServer({
itemService: {
noteByUserIdAndJopId: async (_uid, id) => id === 'n-copy' ? { id: 'n-copy', title: 'Updated Title-3', body: 'Updated body', parentId: 'f1', createdTime: 3000, updatedTime: 3000 } : { id: 'n1', title: 'Remote', body: 'Remote body', parentId: 'f1', createdTime: 1000, updatedTime: 2000 },
noteHeadersByFolder: async () => [
{ id: 'n1', title: 'Updated Title', parentId: 'f1', updatedTime: 1000 },
{ id: 'n2', title: 'Updated Title-1', parentId: 'f1', updatedTime: 1000 },
{ id: 'n3', title: 'Updated Title-2', parentId: 'f1', updatedTime: 1000 },
],
foldersByUserId: async () => [{ id: 'f1', title: 'Folder 1', parentId: '' }],
},
itemWriteService: {
createNote: async (_sid, note) => { createdArgs = note; return { id: 'n-copy' }; },
updateNote: async () => { throw new Error('should not update'); },
},
}, async port => {
const res = await request(port, {
path: '/fragments/editor/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'title=Updated+Title&body=Updated+body&parentId=f1&baseUpdatedTime=1000&createCopy=1',
});
assert.equal(res.statusCode, 200);
assert.equal(createdArgs.title, 'Updated Title-3');
assert.equal(createdArgs.body, 'Updated body');
assert.ok(res.body.includes('id="nav-panel" hx-swap-oob="innerHTML"'));
// Nav lazy-loads notes; folder is present but individual note items are fetched on demand
assert.ok(res.body.includes('Folder 1'));
assert.ok(res.body.includes('hx-put="/fragments/editor/n-copy"'));
});
});
test('PUT /fragments/editor/:id rejects plaintext create copy inside vault', async () => {
let createdArgs = null;
await withServer({
itemService: {
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'Remote', body: 'Remote body', parentId: 'vault-1', createdTime: 1000, updatedTime: 2000 }),
noteHeadersByFolder: async () => [],
},
itemWriteService: {
createNote: async (_sid, note) => { createdArgs = note; return { id: 'n-copy' }; },
updateNote: async () => { throw new Error('should not update'); },
},
vaultService: {
getVaultByFolderId: async (_uid, folderId) => folderId === 'vault-1' ? { folderId: 'vault-1' } : null,
getVaultFolderIdSet: async () => new Set(['vault-1']),
},
}, async port => {
const res = await request(port, {
path: '/fragments/editor/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'title=Updated+Title&body=Updated+body&parentId=vault-1&baseUpdatedTime=1000&createCopy=1',
});
assert.equal(res.statusCode, 400);
assert.equal(createdArgs, null);
assert.ok(res.body.includes('Vault notes must be saved encrypted'));
});
});
test('POST /fragments/folders creates folder and returns list', async () => {
let created = false;
await withServer({
itemWriteService: {
createFolder: async () => { created = true; return { id: 'f-new' }; },
},
itemService: {
foldersByUserId: async () => [{ id: 'f-new', title: 'New Folder', parentId: '' }],
},
}, async port => {
const res = await request(port, {
path: '/fragments/folders',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'title=New+Folder',
});
assert.equal(res.statusCode, 200);
assert.ok(created);
assert.ok(res.body.includes('New Folder'));
});
});
test('PUT /fragments/folders/:id renames folder and returns list', async () => {
let updated = false;
await withServer({
itemWriteService: {
updateFolder: async () => { updated = true; return { id: 'f1' }; },
},
itemService: {
folderByUserIdAndJopId: async () => ({ id: 'f1', title: 'Old Folder', parentId: '' }),
foldersByUserId: async () => [{ id: 'f1', title: 'Renamed Folder', parentId: '' }],
},
}, async port => {
const res = await request(port, {
path: '/fragments/folders/f1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'title=Renamed+Folder',
});
assert.equal(res.statusCode, 200);
assert.ok(updated);
assert.ok(res.body.includes('Renamed Folder'));
});
});
test('POST /fragments/notes selects created note and loads editor', async () => {
await withServer({
itemWriteService: {
createNote: async () => ({ id: 'n-new' }),
},
itemService: {
noteByUserIdAndJopId: async (_uid, id) => ({ id, title: 'Untitled note', body: '', parentId: 'f1', updatedTime: Date.now() }),
foldersByUserId: async () => [{ id: 'f1', title: 'Folder 1', parentId: '' }],
},
}, async port => {
const res = await request(port, {
path: '/fragments/notes',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'parentId=f1',
});
assert.equal(res.statusCode, 200);
// Nav lazy-loads notes; check folder is present and editor loaded for new note
assert.ok(res.body.includes('Folder 1'));
assert.ok(res.body.includes('id="editor-panel" hx-swap-oob="innerHTML"'));
assert.ok(res.body.includes('hx-put="/fragments/editor/n-new"'));
});
});
test('POST /fragments/notes saves plain title on create', async () => {
let createdNote = null;
await withServer({
itemWriteService: {
createNote: async (_sid, note) => {
createdNote = note;
return { id: 'n-new' };
},
},
itemService: {
noteByUserIdAndJopId: async (_uid, id) => ({ id, title: 'Hello world', body: '', parentId: 'f1', updatedTime: Date.now() }),
foldersByUserId: async () => [{ id: 'f1', title: 'Folder 1', parentId: '' }],
},
}, async port => {
const res = await request(port, {
path: '/fragments/notes',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'parentId=f1&title=%23+**Hello**+%5Bworld%5D(https%3A%2F%2Fexample.com)',
});
assert.equal(res.statusCode, 200);
assert.equal(createdNote.title, 'Hello world');
});
});
test('POST /fragments/notes in vault renders locked editor with vault id', async () => {
await withServer({
itemWriteService: {
createNote: async () => ({ id: 'n-new' }),
},
itemService: {
noteByUserIdAndJopId: async (_uid, id) => ({ id, title: 'Untitled note', body: '', parentId: 'vault-1', updatedTime: Date.now() }),
foldersByUserId: async () => [{ id: 'vault-1', title: 'Vault 1', parentId: '' }],
},
vaultService: {
getVaultByFolderId: async (_uid, folderId) => folderId === 'vault-1' ? { folderId: 'vault-1' } : null,
getVaultFolderIdSet: async () => new Set(['vault-1']),
},
}, async port => {
const res = await request(port, {
path: '/fragments/notes',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'parentId=vault-1',
});
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('data-vault-id="vault-1"'));
assert.ok(res.body.includes('id="editor-locked"'));
assert.ok(res.body.includes('id="editor-toolbar" style="display:none"'));
assert.ok(res.body.includes('id="cm-host" style="display:none"'));
});
});
test('POST /fragments/notes falls back to created note when immediate read misses', async () => {
await withServer({
itemWriteService: {
createNote: async () => ({ id: 'n-new' }),
},
itemService: {
noteByUserIdAndJopId: async () => null,
foldersByUserId: async () => [{ id: 'f1', title: 'Folder 1', parentId: '' }],
},
}, async port => {
const res = await request(port, {
path: '/fragments/notes',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'parentId=f1',
});
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('hx-put="/fragments/editor/n-new"'));
assert.ok(res.body.includes('value="f1" selected'));
});
});
test('POST /fragments/notes/in-general falls back to created note when immediate read misses', async () => {
await withServer({
itemWriteService: {
createNote: async () => ({ id: 'n-new' }),
},
itemService: {
noteByUserIdAndJopId: async () => null,
foldersByUserId: async () => [{ id: 'general', title: 'General', parentId: '' }],
},
}, async port => {
const res = await request(port, {
path: '/fragments/notes/in-general',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: '',
});
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('hx-put="/fragments/editor/n-new"'));
assert.ok(res.body.includes('value="general" selected'));
});
});
test('DELETE /fragments/notes/:id trashes note and shows trash folder', async () => {
let trashed = false;
await withServer({
itemService: {
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'Note 1', body: 'body', parentId: 'f1', createdTime: 1000, updatedTime: 1000, deletedTime: 0 }),
noteHeadersByUserId: async (_uid, options = {}) => options.deleted === 'only' ? [{ id: 'n1', title: 'Note 1', parentId: 'f1', updatedTime: 1000, deletedTime: 2000 }] : [],
foldersByUserId: async () => [{ id: 'f1', title: 'Folder 1', parentId: '' }],
},
itemWriteService: {
trashNote: async () => { trashed = true; },
},
}, async port => {
const res = await request(port, {
path: '/fragments/notes/n1',
method: 'DELETE',
headers: { Cookie: 'sessionId=test-session' },
});
assert.equal(res.statusCode, 200);
assert.ok(trashed);
assert.ok(res.body.includes('Trash'));
assert.ok(res.body.includes('id="editor-panel" hx-swap-oob="innerHTML"'));
});
});
test('DELETE /fragments/notes/:id permanently deletes trashed note', async () => {
let deleted = false;
await withServer({
itemService: {
noteByUserIdAndJopId: async (_uid, _id, options = {}) => options.deleted === 'only' ? { id: 'n1', title: 'Note 1', body: 'body', parentId: 'f1', createdTime: 1000, updatedTime: 1000, deletedTime: 2000 } : null,
noteHeadersByUserId: async () => [],
foldersByUserId: async () => [{ id: 'f1', title: 'Folder 1', parentId: '' }],
},
itemWriteService: {
deleteNote: async () => { deleted = true; },
},
}, async port => {
const res = await request(port, {
path: '/fragments/notes/n1',
method: 'DELETE',
headers: { Cookie: 'sessionId=test-session' },
});
assert.equal(res.statusCode, 200);
assert.ok(deleted);
});
});
test('POST /fragments/notes/:id/restore restores trashed note', async () => {
let restoreArgs = null;
await withServer({
itemService: {
noteByUserIdAndJopId: async (_uid, id, options = {}) => {
if (options.deleted === 'only') return { id, title: 'Deleted Note', body: 'body', parentId: 'f2', createdTime: 1000, updatedTime: 2000, deletedTime: 2000 };
return { id, title: 'Deleted Note', body: 'body', parentId: 'f2', createdTime: 1000, updatedTime: 3000, deletedTime: 0 };
},
noteHeadersByUserId: async (_uid, options = {}) => options.deleted === 'only' ? [] : [{ id: 'n1', title: 'Deleted Note', parentId: 'f2', updatedTime: 3000, deletedTime: 0 }],
foldersByUserId: async () => [{ id: 'f1', title: 'Folder 1', parentId: '' }, { id: 'f2', title: 'Folder 2', parentId: '' }],
},
itemWriteService: {
restoreNote: async (_sid, note, parentId) => { restoreArgs = { note, parentId }; },
},
}, async port => {
const res = await request(port, {
path: '/fragments/notes/n1/restore',
method: 'POST',
headers: { Cookie: 'sessionId=test-session' },
});
assert.equal(res.statusCode, 200);
assert.equal(restoreArgs.parentId, 'f2');
assert.ok(res.body.includes('hx-put="/fragments/editor/n1"'));
});
});
test('POST /fragments/trash/empty permanently deletes trashed notes', async () => {
const deletedIds = [];
await withServer({
itemService: {
noteHeadersByUserId: async (_uid, options = {}) => options.deleted === 'only' ? [{ id: 'n1', title: 'Deleted Note', parentId: 'f1', updatedTime: 1000, deletedTime: 2000 }] : [],
foldersByUserId: async () => [],
},
itemWriteService: {
deleteNote: async (_sid, id) => { deletedIds.push(id); },
},
}, async port => {
const res = await request(port, {
path: '/fragments/trash/empty',
method: 'POST',
headers: { Cookie: 'sessionId=test-session' },
});
assert.equal(res.statusCode, 200);
assert.deepEqual(deletedIds, ['n1']);
});
});
test('GET / returns full SSR page for logged-in user', async () => {
await withServer({
itemService: {
foldersByUserId: async () => [{ id: 'f1', title: 'My Folder', parentId: '' }],
noteHeadersByUserId: async () => [],
},
}, async port => {
const res = await request(port, { path: '/' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('<!DOCTYPE html>'));
assert.ok(res.body.includes('Joplock'));
assert.ok(res.body.includes('My Folder'));
assert.ok(res.body.includes('Trash'));
assert.ok(res.body.includes('htmx.min.js'));
assert.ok(res.body.includes('apple-touch-icon.png'));
assert.ok(res.body.includes('apple-touch-startup-image'));
});
});
test('GET / resumes last edited note from server-side settings when enabled', async () => {
await withServer({
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 15, codeFontSize: 12, noteMonospace: false, noteOpenMode: 'preview', resumeLastNote: true, lastNoteId: 'n1', lastNoteFolderId: '__all_notes__', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm' }),
saveSettings: async (_userId, settings) => settings,
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
itemService: {
foldersByUserId: async () => [{ id: 'f1', title: 'My Folder', parentId: '' }],
noteByUserIdAndJopId: async () => ({ id: 'n1', title: '# **Hello**', body: 'Body', parentId: 'f1', createdTime: 1000, updatedTime: 1000, deletedTime: 0 }),
},
}, async port => {
const res = await request(port, { path: '/' });
assert.equal(res.statusCode, 200);
// Nav lazy-loads notes; folder is present but note items are fetched on demand
assert.ok(res.body.includes('My Folder'));
assert.ok(res.body.includes('hx-put="/fragments/editor/n1"'));
assert.ok(res.body.includes('data-placeholder="Note title">Hello</div>'));
assert.ok(!res.body.includes('<strong>Hello</strong>'));
});
});
test('GET / includes mobile startup resume payload for resumed note', async () => {
await withServer({
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 15, codeFontSize: 12, noteMonospace: false, noteOpenMode: 'preview', resumeLastNote: true, lastNoteId: 'n1', lastNoteFolderId: '__all_notes__', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm' }),
saveSettings: async (_userId, settings) => settings,
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
itemService: {
foldersByUserId: async () => [{ id: 'f1', title: 'My Folder', parentId: '' }],
noteHeadersByUserId: async (_uid, options = {}) => options.deleted === 'only' ? [] : [{ id: 'n1', title: '# **Hello**', parentId: 'f1', updatedTime: 1000, deletedTime: 0 }],
noteByUserIdAndJopId: async () => ({ id: 'n1', title: '# **Hello**', body: 'Body', parentId: 'f1', createdTime: 1000, updatedTime: 1000, deletedTime: 0 }),
},
}, async port => {
const res = await request(port, { path: '/' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('mobileStartup:{"folderId":"f1","folderTitle":"My Folder","noteId":"n1","noteTitle":"Hello"}'));
assert.ok(res.body.includes('<div class="mobile-screen-body mobile-editor-body" id="mobile-editor-body">'));
assert.ok(res.body.includes('hx-put="/fragments/editor/n1"'));
assert.ok(!res.body.includes('<div class="mobile-screen-body mobile-editor-body" id="mobile-editor-body">\n\t\t\t\t<div class="editor-empty">Select a note</div>'));
});
});
test('GET / does not resume encrypted last note on startup', async () => {
let savedSettings = null;
await withServer({
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 15, codeFontSize: 12, noteMonospace: false, noteOpenMode: 'preview', resumeLastNote: true, lastNoteId: 'n1', lastNoteFolderId: 'f1', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm' }),
saveSettings: async (_userId, settings) => { savedSettings = settings; return settings; },
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
itemService: {
foldersByUserId: async () => [{ id: 'f1', title: 'My Folder', parentId: '' }],
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'Secret', body: 'cipher', parentId: 'f1', createdTime: 1000, updatedTime: 1000, deletedTime: 0, isEncrypted: true }),
},
}, async port => {
const res = await request(port, { path: '/' });
assert.equal(res.statusCode, 200);
assert.ok(!res.body.includes('hx-put="/fragments/editor/n1"'));
assert.ok(res.body.includes('<div class="editor-empty">Select a note</div>'));
assert.equal(savedSettings.lastNoteId, '');
assert.equal(savedSettings.lastNoteFolderId, '');
});
});
test('GET / does not resume last note inside vault notebook on startup', async () => {
let savedSettings = null;
await withServer({
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 15, codeFontSize: 12, noteMonospace: false, noteOpenMode: 'preview', resumeLastNote: true, lastNoteId: 'n1', lastNoteFolderId: 'vault-1', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm' }),
saveSettings: async (_userId, settings) => { savedSettings = settings; return settings; },
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
itemService: {
foldersByUserId: async () => [{ id: 'vault-1', title: 'Vault 1', parentId: '', isVault: true }],
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'Secret', body: '', parentId: 'vault-1', createdTime: 1000, updatedTime: 1000, deletedTime: 0, isEncrypted: false }),
},
}, async port => {
const res = await request(port, { path: '/' });
assert.equal(res.statusCode, 200);
assert.ok(!res.body.includes('hx-put="/fragments/editor/n1"'));
assert.ok(!res.body.includes('mobileStartup:{"folderId":"vault-1"'));
assert.equal(savedSettings.lastNoteId, '');
assert.equal(savedSettings.lastNoteFolderId, '');
});
});
test('GET / creates starter content when user has no real folders', async () => {
let folderCreates = 0;
let noteCreates = 0;
await withServer({
itemService: {
foldersByUserId: async () => folderCreates > 0 ? [{ id: 'examples', title: 'Examples', parentId: '' }] : [],
noteHeadersByUserId: async () => [],
},
itemWriteService: {
createFolder: async () => { folderCreates += 1; return { id: 'examples' }; },
createNote: async () => { noteCreates += 1; return { id: 'start-here' }; },
},
}, async port => {
const res = await request(port, { path: '/' });
assert.equal(res.statusCode, 200);
assert.equal(folderCreates, 1);
assert.equal(noteCreates, 1);
assert.ok(res.body.includes('Examples'));
});
});
test('GET / redirects unauthenticated user to /login', async () => {
await withServer({}, async port => {
const res = await request(port, { path: '/', headers: {} });
assert.equal(res.statusCode, 302);
assert.equal(res.headers.location, '/login');
});
});
test('GET /login returns login page for unauthenticated user', async () => {
await withServer({}, async port => {
const res = await request(port, { path: '/login', headers: {} });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('Login'));
assert.ok(!res.body.includes('Authentication code'));
assert.ok(!res.body.includes('NOTEBOOKS'));
});
});
test('POST /login skips per-user MFA for admin when IGNORE_ADMIN_MFA is set', async () => {
await withServer({
adminEmail: 'admin@example.com',
ignoreAdminMfa: true,
settingsService: {
settingsByUserId: async () => ({}),
saveSettings: async (_userId, s) => s,
getTotpSeed: async () => 'TESTSEEDNEVERUSED',
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
sessionService: {
userBySessionId: async sessionId => {
if (sessionId === 'admin-sess') return { id: 'admin-1', email: 'admin@example.com', sessionId };
return null;
},
},
}, async port => {
// Mock Joplin Server login succeeds by relying on test mock
// The test verifies the MFA bypass path; Joplin login is mocked upstream
const res = await request(port, {
path: '/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'email=admin%40example.com&password=test',
});
// Without the bypass, this would redirect to /login/mfa since getTotpSeed returns a seed
// With bypass, it should either set session or fail at Joplin login (302 to / or /login?error=)
assert.equal(res.statusCode, 302);
// Should NOT redirect to MFA page
assert.ok(!res.headers.location.includes('/login/mfa'));
});
});
test('POST /login creates starter content for user with no real folders', async () => {
const upstream = http.createServer((req, res) => {
if (req.method === 'POST' && req.url === '/api/sessions') {
res.writeHead(200, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ id: 'fresh-session' }));
return;
}
res.writeHead(404, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ error: 'not found' }));
});
await new Promise(resolve => upstream.listen(0, '127.0.0.1', resolve));
const upstreamPort = upstream.address().port;
let folderCreates = 0;
let noteCreates = 0;
try {
await withServer({
joplinServerOrigin: `http://127.0.0.1:${upstreamPort}`,
joplinServerPublicUrl: `http://127.0.0.1:${upstreamPort}`,
sessionService: {
userBySessionId: async sessionId => {
if (sessionId === 'test-session') return { id: 'user-1', email: 'user@example.com', sessionId };
if (sessionId === 'fresh-session') return { id: 'user-1', email: 'user@example.com', sessionId };
return null;
},
},
itemService: {
foldersByUserId: async () => folderCreates > 0 ? [{ id: 'examples', title: 'Examples', parentId: '' }] : [],
noteHeadersByUserId: async () => [],
},
itemWriteService: {
createFolder: async () => { folderCreates += 1; return { id: 'examples' }; },
createNote: async () => { noteCreates += 1; return { id: 'start-here' }; },
},
}, async port => {
const res = await request(port, {
path: '/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'email=user%40example.com&password=UserPass123%21',
});
assert.equal(res.statusCode, 302);
assert.equal(res.headers.location, '/');
assert.equal(folderCreates, 1);
assert.equal(noteCreates, 1);
});
} finally {
await new Promise(resolve => upstream.close(resolve));
}
});
test('POST /login returns 429 after repeated failed attempts', async () => {
const upstream = http.createServer((req, res) => {
if (req.method === 'POST' && req.url === '/api/sessions') {
res.writeHead(403, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ error: 'invalid' }));
return;
}
res.writeHead(404, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ error: 'not found' }));
});
await new Promise(resolve => upstream.listen(0, '127.0.0.1', resolve));
const upstreamPort = upstream.address().port;
try {
await withServer({
joplinServerOrigin: `http://127.0.0.1:${upstreamPort}`,
joplinServerPublicUrl: `http://127.0.0.1:${upstreamPort}`,
rateLimitService: createRateLimitService(),
settingsService: {
appSettings: async () => ({ authRateLimitAttempts: 3 }),
},
}, async port => {
for (let attempt = 1; attempt <= 3; attempt += 1) {
const res = await request(port, {
path: '/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.10' },
body: 'email=user%40example.com&password=badpass',
});
assert.equal(res.statusCode, 302);
}
const blocked = await request(port, {
path: '/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.10' },
body: 'email=user%40example.com&password=badpass',
});
assert.equal(blocked.statusCode, 429);
assert.equal(blocked.headers['retry-after'], '900');
assert.ok(blocked.body.includes('Too many login attempts'));
});
} finally {
await new Promise(resolve => upstream.close(resolve));
}
});
test('POST /login clears account failure streak after successful login', async () => {
let loginAttempts = 0;
const upstream = http.createServer((req, res) => {
if (req.method === 'POST' && req.url === '/api/sessions') {
loginAttempts += 1;
if (loginAttempts === 2) {
res.writeHead(200, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ id: 'fresh-session' }));
return;
}
res.writeHead(403, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ error: 'invalid' }));
return;
}
res.writeHead(404, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ error: 'not found' }));
});
await new Promise(resolve => upstream.listen(0, '127.0.0.1', resolve));
const upstreamPort = upstream.address().port;
try {
await withServer({
joplinServerOrigin: `http://127.0.0.1:${upstreamPort}`,
joplinServerPublicUrl: `http://127.0.0.1:${upstreamPort}`,
rateLimitService: createRateLimitService(),
settingsService: {
appSettings: async () => ({ authRateLimitAttempts: 2 }),
},
sessionService: {
userBySessionId: async sessionId => {
if (sessionId === 'test-session') return { id: 'user-1', email: 'user@example.com', sessionId };
if (sessionId === 'fresh-session') return { id: 'user-1', email: 'user@example.com', sessionId };
return null;
},
},
}, async port => {
const firstFailure = await request(port, {
path: '/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.20' },
body: 'email=user%40example.com&password=badpass',
});
assert.equal(firstFailure.statusCode, 302);
const success = await request(port, {
path: '/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.20' },
body: 'email=user%40example.com&password=goodpass',
});
assert.equal(success.statusCode, 302);
assert.equal(success.headers.location, '/');
const secondFailure = await request(port, {
path: '/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.20' },
body: 'email=user%40example.com&password=badpass-again',
});
assert.equal(secondFailure.statusCode, 302);
const thirdFailure = await request(port, {
path: '/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.20' },
body: 'email=user%40example.com&password=badpass-final',
});
assert.equal(thirdFailure.statusCode, 302);
const blocked = await request(port, {
path: '/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.20' },
body: 'email=user%40example.com&password=badpass-blocked',
});
assert.equal(blocked.statusCode, 429);
});
} finally {
await new Promise(resolve => upstream.close(resolve));
}
});
test('POST /login/mfa returns 429 after repeated invalid codes', async () => {
await withServer({
rateLimitService: createRateLimitService(),
sessionService: {
userBySessionId: async sessionId => sessionId === 'pending-1' ? { id: 'user-1', email: 'user@example.com', sessionId } : null,
},
settingsService: {
appSettings: async () => ({ authRateLimitAttempts: 2 }),
settingsByUserId: async () => ({}),
saveSettings: async (_userId, settings) => settings,
getTotpSeed: async () => 'JBSWY3DPEHPK3PXP',
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
}, async port => {
for (let attempt = 1; attempt <= 2; attempt += 1) {
const res = await request(port, {
path: '/login/mfa',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
Cookie: 'pendingSession=pending-1',
'X-Forwarded-For': '198.51.100.30',
},
body: 'totp=000000',
});
assert.equal(res.statusCode, 302);
assert.equal(res.headers.location, '/login/mfa?error=Invalid+code');
}
const blocked = await request(port, {
path: '/login/mfa',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
Cookie: 'pendingSession=pending-1',
'X-Forwarded-For': '198.51.100.30',
},
body: 'totp=000000',
});
assert.equal(blocked.statusCode, 429);
assert.equal(blocked.headers['retry-after'], '900');
assert.ok(blocked.body.includes('Too many authentication attempts'));
});
});
test('GET /settings redirects unauthenticated user to login', async () => {
await withServer({}, async port => {
const res = await request(port, { path: '/settings', headers: {} });
assert.equal(res.statusCode, 302);
assert.equal(res.headers.location, '/login');
});
});
test('GET /settings shows font controls and per-user MFA section', async () => {
await withServer({
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 17, codeFontSize: 13, noteMonospace: true, resumeLastNote: true, dateFormat: 'DD/MM/YYYY', datetimeFormat: 'DD/MM/YYYY HH:mm' }),
getTotpSeed: async () => null,
},
}, async port => {
const res = await request(port, { path: '/settings' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('Joplock Settings'));
assert.ok(res.body.includes('settings-note-font'));
assert.ok(res.body.includes('value="17"'));
assert.ok(res.body.includes('Use monospace for note text'));
assert.ok(res.body.includes('Reopen the last edited note on startup'));
assert.ok(res.body.includes('Two-Factor Authentication'));
});
});
test('PUT /api/web/settings saves individual settings', async () => {
let saved = null;
await withServer({
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 15, codeFontSize: 12, noteMonospace: false, resumeLastNote: false, lastNoteId: '', lastNoteFolderId: '', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm', autoLogout: false, autoLogoutMinutes: 15, theme: 'matrix' }),
saveSettings: async (_userId, settings) => { saved = settings; return settings; },
},
}, async port => {
const res = await request(port, {
path: '/api/web/settings',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'theme=nord',
});
assert.equal(res.statusCode, 204);
assert.equal(saved.theme, 'nord');
assert.equal(saved.noteFontSize, 15); // unchanged
});
});
test('PUT /api/web/settings accepts resumeLastNote preference', async () => {
let saved = null;
await withServer({
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 15, codeFontSize: 12, noteMonospace: false, resumeLastNote: false, lastNoteId: 'n1', lastNoteFolderId: 'f1', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm', autoLogout: false, autoLogoutMinutes: 15, theme: 'matrix' }),
saveSettings: async (_userId, settings) => { saved = settings; return settings; },
},
}, async port => {
const res = await request(port, {
path: '/api/web/settings',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'resumeLastNote=1',
});
assert.equal(res.statusCode, 204);
assert.equal(saved.resumeLastNote, '1');
assert.equal(saved.lastNoteId, 'n1');
});
});
test('GET /fragments/editor/:id stores last note state on the server', async () => {
let savedSettings = null;
await withServer({
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 15, codeFontSize: 12, noteMonospace: false, resumeLastNote: true, lastNoteId: '', lastNoteFolderId: '', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm' }),
saveSettings: async (_userId, settings) => { savedSettings = settings; return settings; },
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
itemService: {
noteByUserIdAndJopId: async () => ({ id: 'n1', title: '# Title', body: 'Body', parentId: 'f1', createdTime: 1000, updatedTime: 2000 }),
foldersByUserId: async () => [{ id: 'f1', title: 'Folder 1', parentId: '' }],
},
}, async port => {
const res = await request(port, { path: '/fragments/editor/n1?currentFolderId=__all_notes__' });
assert.equal(res.statusCode, 200);
assert.equal(savedSettings.lastNoteId, 'n1');
assert.equal(savedSettings.lastNoteFolderId, '__all_notes__');
assert.ok(res.body.includes('data-placeholder="Note title">Title</div>'));
});
});
test('PUT /fragments/editor/:id saves plain title and last note state on the server', async () => {
let savedUpdates = null;
let savedSettings = null;
const existing = { id: 'n1', title: 'Old', body: 'Old', parentId: 'f1', createdTime: 1000, updatedTime: 1000 };
let callCount = 0;
await withServer({
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 15, codeFontSize: 12, noteMonospace: false, resumeLastNote: true, lastNoteId: '', lastNoteFolderId: '', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm' }),
saveSettings: async (_userId, settings) => { savedSettings = settings; return settings; },
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
itemService: {
noteByUserIdAndJopId: async () => { callCount += 1; return callCount === 1 ? existing : { ...existing, title: 'Hello world', body: 'Updated body', updatedTime: 2000 }; },
noteHeadersByUserId: async (_uid, options = {}) => options.deleted === 'only' ? [] : [{ id: 'n1', title: 'Hello world', parentId: 'f1', updatedTime: 2000, deletedTime: 0 }],
foldersByUserId: async () => [{ id: 'f1', title: 'Folder 1', parentId: '' }],
},
itemWriteService: {
updateNote: async (_sid, _ex, updates) => { savedUpdates = updates; return { id: 'n1' }; },
},
}, async port => {
const res = await request(port, {
path: '/fragments/editor/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'title=%23+**Hello**+%5Bworld%5D(https%3A%2F%2Fexample.com)&body=Updated+body&baseUpdatedTime=1000&currentFolderId=__all_notes__',
});
assert.equal(res.statusCode, 200);
assert.equal(savedUpdates.title, 'Hello world');
assert.equal(savedSettings.lastNoteId, 'n1');
assert.equal(savedSettings.lastNoteFolderId, '__all_notes__');
});
});
test('GET /fragments/search returns matching notes', async () => {
await withServer({
itemService: {
searchNotes: async (_uid, query) => {
if (query === 'hello') {
return [{ id: 'n1', title: 'Hello World', body: 'content', bodyPreview: 'content', parentId: 'f1' }];
}
return [];
},
},
}, async port => {
const res = await request(port, { path: '/fragments/search?q=hello' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('Hello World'));
assert.ok(res.body.includes('hx-get="/fragments/editor/n1?currentFolderId=search"'));
const empty = await request(port, { path: '/fragments/search?q=' });
assert.equal(empty.statusCode, 200);
assert.equal(empty.body, '');
});
});
test('GET /fragments/search shows lock icon for notes inside vault notebooks', async () => {
await withServer({
itemService: {
searchNotes: async () => [{ id: 'n1', title: 'Vault Note', body: 'content', bodyPreview: 'content', parentId: 'vault-1' }],
},
vaultService: {
getVaultFolderIdSet: async () => new Set(['vault-1']),
getVaultByFolderId: async () => null,
},
}, async port => {
const res = await request(port, { path: '/fragments/search?q=vault' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('note-lock-icon'));
assert.ok(res.body.includes('data-vault-id="vault-1"'));
});
});
test('GET /fragments/search shows Load more when exactly 50 results returned', async () => {
await withServer({
itemService: {
searchNotes: async (_uid, _query, limit, offset) => {
assert.equal(limit, 50);
assert.equal(offset, 0);
return Array.from({ length: 50 }, (_, i) => ({ id: `n${i}`, title: `Note ${i}`, body: '', bodyPreview: '', parentId: 'f1' }));
},
},
}, async port => {
const res = await request(port, { path: '/fragments/search?q=test' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('notelist-load-more'), 'should include Load more button');
assert.ok(res.body.includes('/fragments/search?q=test&offset=50'), 'Load more URL should have offset=50');
});
});
test('PUT /fragments/editor rejects plaintext save for note already inside vault', async () => {
let updateCalled = false;
await withServer({
itemService: {
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'Secret', body: 'plain body', parentId: 'vault-1', updatedTime: 1000 }),
},
itemWriteService: {
updateNote: async () => { updateCalled = true; return { id: 'n1' }; },
},
vaultService: {
getVaultByFolderId: async (_uid, folderId) => folderId === 'vault-1' ? { folderId: 'vault-1' } : null,
getVaultFolderIdSet: async () => new Set(['vault-1']),
},
}, async port => {
const res = await request(port, {
path: '/fragments/editor/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'title=Secret&body=plain%20body&parentId=vault-1&currentFolderId=vault-1&baseUpdatedTime=1000',
});
assert.equal(res.statusCode, 400);
assert.ok(res.body.includes('Vault notes must be saved encrypted'));
assert.equal(updateCalled, false);
});
});
test('PUT /fragments/editor rejects plaintext save when moving note into vault', async () => {
let updateCalled = false;
await withServer({
itemService: {
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'Draft', body: 'plain body', parentId: 'f1', updatedTime: 1000 }),
},
itemWriteService: {
updateNote: async () => { updateCalled = true; return { id: 'n1' }; },
},
vaultService: {
getVaultByFolderId: async (_uid, folderId) => folderId === 'vault-1' ? { folderId: 'vault-1' } : null,
getVaultFolderIdSet: async () => new Set(['vault-1']),
},
}, async port => {
const res = await request(port, {
path: '/fragments/editor/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'title=Draft&body=plain%20body&parentId=vault-1&currentFolderId=f1&baseUpdatedTime=1000',
});
assert.equal(res.statusCode, 400);
assert.ok(res.body.includes('Vault notes must be saved encrypted'));
assert.equal(updateCalled, false);
});
});
test('GET /fragments/search passes offset to searchNotes', async () => {
let receivedOffset;
await withServer({
itemService: {
searchNotes: async (_uid, _query, _limit, offset) => {
receivedOffset = offset;
return [{ id: 'n1', title: 'Note', body: '', bodyPreview: '', parentId: 'f1' }];
},
},
}, async port => {
await request(port, { path: '/fragments/search?q=test&offset=50' });
assert.equal(receivedOffset, 50);
});
});
// --- Resource tests ---
test('GET /resources/:id serves binary blob with correct content-type', async () => {
const blobData = Buffer.from([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a]); // fake PNG header
await withServer({
itemService: {
resourceMetaByUserId: async (_uid, rid) => {
if (rid === 'abcdef01234567890abcdef012345678') return { id: rid, mime: 'image/png', title: 'test.png', filename: 'test.png' };
return null;
},
resourceBlobByUserId: async (_uid, rid) => {
if (rid === 'abcdef01234567890abcdef012345678') return blobData;
return null;
},
},
}, async port => {
const res = await request(port, { path: '/resources/abcdef01234567890abcdef012345678' });
assert.equal(res.statusCode, 200);
assert.equal(res.headers['cache-control'], 'no-store');
assert.equal(res.headers['content-type'], 'image/png');
assert.equal(res.headers['content-disposition'], 'inline; filename="test.png"');
assert.ok(res.rawBody.equals(blobData));
});
});
test('GET /resources/:id forces attachment download when requested', async () => {
const blobData = Buffer.from('%PDF-1.7');
await withServer({
itemService: {
resourceMetaByUserId: async (_uid, rid) => rid === 'abcdef01234567890abcdef012345678' ? { id: rid, mime: 'application/pdf', title: 'manual.pdf', filename: 'manual.pdf' } : null,
resourceBlobByUserId: async (_uid, rid) => rid === 'abcdef01234567890abcdef012345678' ? blobData : null,
},
}, async port => {
const res = await request(port, { path: '/resources/abcdef01234567890abcdef012345678?download=1' });
assert.equal(res.statusCode, 200);
assert.equal(res.headers['content-disposition'], 'attachment; filename="manual.pdf"');
assert.ok(res.rawBody.equals(blobData));
});
});
test('GET /resources/:id viewer renders html page with back control', async () => {
const blobData = Buffer.from('%PDF-1.7');
await withServer({
itemService: {
resourceMetaByUserId: async (_uid, rid) => rid === 'abcdef01234567890abcdef012345678' ? { id: rid, mime: 'application/pdf', title: 'manual.pdf', filename: 'manual.pdf' } : null,
resourceBlobByUserId: async (_uid, rid) => rid === 'abcdef01234567890abcdef012345678' ? blobData : null,
},
}, async port => {
const res = await request(port, { path: '/resources/abcdef01234567890abcdef012345678?viewer=1' });
assert.equal(res.statusCode, 200);
assert.ok((res.headers['content-type'] || '').includes('text/html'));
assert.ok(res.body.includes('resource-viewer-page-btn'));
assert.ok(res.body.includes('history.length > 1 ? history.back() : window.close()'));
assert.ok(res.body.includes('/resources/abcdef01234567890abcdef012345678?download=1'));
});
});
test('HEAD /resources/:id returns resource headers without body', async () => {
await withServer({
itemService: {
resourceMetaByUserId: async (_uid, rid) => rid === 'abcdef01234567890abcdef012345678' ? { id: rid, mime: 'application/octet-stream', title: 'key.pub', filename: 'key.pub' } : null,
},
}, async port => {
const res = await request(port, { path: '/resources/abcdef01234567890abcdef012345678', method: 'HEAD' });
assert.equal(res.statusCode, 200);
assert.equal(res.headers['content-type'], 'application/octet-stream');
assert.equal(res.headers['content-disposition'], 'attachment; filename="key.pub"');
assert.equal(res.rawBody.length, 0);
});
});
test('GET /api/web/notes returns all notes for virtual all notes folder', async () => {
let receivedOptions = null;
await withServer({
itemService: {
notesByUserId: async (_uid, options = {}) => {
receivedOptions = options;
return [{ id: 'n1', title: 'Note 1', parentId: 'f1' }];
},
},
}, async port => {
const res = await request(port, { path: '/api/web/notes?folderId=__all_notes__' });
assert.equal(res.statusCode, 200);
assert.deepEqual(receivedOptions, {});
const payload = JSON.parse(res.body);
assert.equal(payload.items.length, 1);
assert.equal(payload.items[0].id, 'n1');
});
});
test('POST /logout returns logged-out page and clears client state', async () => {
await withServer({}, async port => {
const res = await request(port, {
path: '/logout',
method: 'POST',
headers: { Cookie: 'sessionId=test-session' },
});
assert.equal(res.statusCode, 200);
assert.equal(res.headers['cache-control'], 'no-store');
assert.ok(!res.headers['clear-site-data'], 'should not send Clear-Site-Data (client-side cleanup instead)');
const setCookie = Array.isArray(res.headers['set-cookie']) ? res.headers['set-cookie'].join('; ') : res.headers['set-cookie'];
assert.ok(setCookie.includes('sessionId='));
assert.ok(setCookie.includes('Max-Age=0'));
assert.ok(res.body.includes('Cleanup complete'));
assert.ok(res.body.includes('Go to login'));
});
});
// --- Heartbeat ---
test('POST /heartbeat returns 204 for valid session and does not touch session', async () => {
let touched = false;
await withServer({
sessionService: { touchSession: async () => { touched = true; } },
}, async port => {
const res = await request(port, { path: '/heartbeat', method: 'POST', headers: { Cookie: 'sessionId=test-session' } });
assert.equal(res.statusCode, 204);
assert.equal(touched, false, 'heartbeat should not touch session (liveness check only)');
});
});
test('POST /heartbeat returns 401 for missing session', async () => {
await withServer({}, async port => {
const res = await request(port, { path: '/heartbeat', method: 'POST', headers: {} });
assert.equal(res.statusCode, 401);
});
});
test('POST /heartbeat returns 401 for invalid session', async () => {
await withServer({}, async port => {
const res = await request(port, { path: '/heartbeat', method: 'POST', headers: { Cookie: 'sessionId=bad-session' } });
assert.equal(res.statusCode, 401);
});
});
test('authenticatedUser enforces heartbeat timeout when autoLogout enabled', async () => {
const staleLastSeen = Date.now() - (20 * 60 * 1000); // 20 min ago
let deleted = null;
await withServer({
settingsService: {
settingsByUserId: async () => ({ autoLogout: true, autoLogoutMinutes: 15, noteFontSize: 15, codeFontSize: 12, noteMonospace: false, resumeLastNote: false, lastNoteId: '', lastNoteFolderId: '', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm' }),
},
sessionService: {
getLastSeen: async () => staleLastSeen,
deleteSession: async id => { deleted = id; },
},
}, async port => {
const res = await request(port, { path: '/api/web/me', headers: { Cookie: 'sessionId=test-session' } });
assert.equal(res.statusCode, 401);
assert.equal(deleted, 'test-session');
});
});
test('authenticatedUser allows request when lastSeen is within timeout', async () => {
const recentLastSeen = Date.now() - (5 * 60 * 1000); // 5 min ago
await withServer({
settingsService: {
settingsByUserId: async () => ({ autoLogout: true, autoLogoutMinutes: 15, noteFontSize: 15, codeFontSize: 12, noteMonospace: false, resumeLastNote: false, lastNoteId: '', lastNoteFolderId: '', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm' }),
},
sessionService: {
getLastSeen: async () => recentLastSeen,
deleteSession: async () => {},
},
}, async port => {
const res = await request(port, { path: '/api/web/me', headers: { Cookie: 'sessionId=test-session' } });
assert.notEqual(res.statusCode, 401);
});
});
test('authenticatedUser skips timeout check when autoLogout disabled', async () => {
await withServer({
settingsService: {
settingsByUserId: async () => ({ autoLogout: false, autoLogoutMinutes: 15, noteFontSize: 15, codeFontSize: 12, noteMonospace: false, resumeLastNote: false, lastNoteId: '', lastNoteFolderId: '', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm' }),
},
sessionService: {
getLastSeen: async () => 0,
deleteSession: async () => {},
},
}, async port => {
const res = await request(port, { path: '/api/web/me', headers: { Cookie: 'sessionId=test-session' } });
assert.notEqual(res.statusCode, 401);
});
});
test('authenticatedUser allows request when lastSeen is null (no heartbeat yet)', async () => {
await withServer({
settingsService: {
settingsByUserId: async () => ({ autoLogout: true, autoLogoutMinutes: 15, noteFontSize: 15, codeFontSize: 12, noteMonospace: false, resumeLastNote: false, lastNoteId: '', lastNoteFolderId: '', dateFormat: 'YYYY-MM-DD', datetimeFormat: 'YYYY-MM-DD HH:mm' }),
},
sessionService: {
getLastSeen: async () => null,
deleteSession: async () => {},
},
}, async port => {
const res = await request(port, { path: '/api/web/me', headers: { Cookie: 'sessionId=test-session' } });
assert.notEqual(res.statusCode, 401);
});
});
test('GET /logout returns logged-out page and clears client state', async () => {
await withServer({}, async port => {
const res = await request(port, {
path: '/logout',
method: 'GET',
headers: { Cookie: 'sessionId=test-session' },
});
assert.equal(res.statusCode, 200);
assert.equal(res.headers['cache-control'], 'no-store');
assert.ok(!res.headers['clear-site-data'], 'should not send Clear-Site-Data (client-side cleanup instead)');
const setCookie = Array.isArray(res.headers['set-cookie']) ? res.headers['set-cookie'].join('; ') : res.headers['set-cookie'];
assert.ok(setCookie.includes('sessionId='));
assert.ok(setCookie.includes('Max-Age=0'));
assert.ok(res.body.includes('Cleanup complete'));
assert.ok(res.body.includes('Go to login'));
});
});
test('GET /resources/:id returns 404 for missing resource', async () => {
await withServer({}, async port => {
const res = await request(port, { path: '/resources/abcdef01234567890abcdef012345678' });
assert.equal(res.statusCode, 404);
});
});
test('GET /resources/:id returns 400 for invalid resource ID', async () => {
await withServer({}, async port => {
const res = await request(port, { path: '/resources/not-valid' });
assert.equal(res.statusCode, 400);
});
});
test('POST /fragments/upload creates resource and returns markdown', async () => {
let createdResource = null;
let createdBuffer = null;
await withServer({
itemWriteService: {
createResource: async (_sid, resource, buffer) => {
createdResource = resource;
createdBuffer = buffer;
return { id: 'newresource01234567890abcdef01234' };
},
},
}, async port => {
const boundary = '----testboundary';
const fileContent = Buffer.from('fake image data');
const body = Buffer.concat([
Buffer.from(`--${boundary}\r\nContent-Disposition: form-data; name="file"; filename="photo.png"\r\nContent-Type: image/png\r\n\r\n`),
fileContent,
Buffer.from(`\r\n--${boundary}--\r\n`),
]);
const res = await request(port, {
path: '/fragments/upload',
method: 'POST',
headers: {
Cookie: 'sessionId=test-session',
'Content-Type': `multipart/form-data; boundary=${boundary}`,
'Content-Length': body.length,
},
rawBody: body,
});
assert.equal(res.statusCode, 200);
const payload = JSON.parse(res.body);
assert.equal(payload.resourceId, 'newresource01234567890abcdef01234');
assert.ok(payload.markdown.includes('![photo.png](:/')); // image markdown
assert.equal(createdResource.mime, 'image/png');
assert.equal(createdResource.filename, 'photo.png');
assert.equal(createdResource.fileExtension, 'png');
assert.ok(createdBuffer.equals(fileContent));
});
});
test('POST /fragments/upload returns 401 for unauthenticated user', async () => {
await withServer({}, async port => {
const res = await request(port, {
path: '/fragments/upload',
method: 'POST',
headers: { 'Content-Type': 'multipart/form-data; boundary=x' },
});
assert.equal(res.statusCode, 401);
});
});
test('GET /fragments/editor/:id includes folder dropdown', async () => {
await withServer({
itemService: {
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'My Note', body: 'text', parentId: 'f2', updatedTime: Date.now() }),
foldersByUserId: async () => [
{ id: '__all_notes__', title: 'All Notes', parentId: '', isVirtualAllNotes: true },
{ id: 'f1', title: 'Work', parentId: '' },
{ id: 'f2', title: 'Personal', parentId: '' },
],
},
}, async port => {
const res = await request(port, { path: '/fragments/editor/n1' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('<select name="parentId"'));
assert.ok(!res.body.includes('<option value="__all_notes__"'));
assert.ok(res.body.includes('Work'));
assert.ok(res.body.includes('Personal'));
// f2 should be selected
assert.ok(res.body.includes('value="f2" selected'));
});
});
test('GET /fragments/editor/:id allows selecting multiple upload files', async () => {
await withServer({
itemService: {
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'My Note', body: 'text', parentId: 'f1', updatedTime: Date.now() }),
foldersByUserId: async () => [{ id: 'f1', title: 'Folder', parentId: '' }],
},
}, async port => {
const res = await request(port, { path: '/fragments/editor/n1' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('id="file-upload"'));
assert.ok(res.body.includes('multiple onchange="handleFilePicker(this)"'));
});
});
test('POST /fragments/preview renders markdown to HTML', async () => {
await withServer({}, async port => {
const res = await request(port, {
path: '/fragments/preview',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'body=**bold**+and+*italic*',
});
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('<strong>bold</strong>'));
assert.ok(res.body.includes('<em>italic</em>'));
});
});
test('POST /fragments/preview renders Joplin resource images', async () => {
await withServer({}, async port => {
const res = await request(port, {
path: '/fragments/preview',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'body=!%5Bphoto%5D(%3A%2Fabcdef01234567890abcdef012345678)',
});
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('src="/resources/abcdef01234567890abcdef012345678"'));
assert.ok(res.body.includes('class="preview-img"'));
});
});
test('PUT /fragments/editor/:id skips nav refresh on body-only save', async () => {
const existing = { id: 'n1', title: 'Same Title', body: 'Old body', parentId: 'f1', createdTime: 1000, updatedTime: 1000 };
let callCount = 0;
await withServer({
itemService: {
noteByUserIdAndJopId: async () => { callCount += 1; return callCount === 1 ? existing : { ...existing, body: 'New body', updatedTime: 2000 }; },
noteHeadersByUserId: async () => { throw new Error('should not fetch nav data'); },
foldersByUserId: async () => { throw new Error('should not fetch nav data'); },
},
itemWriteService: {
updateNote: async () => ({ id: 'n1' }),
},
}, async port => {
const res = await request(port, {
path: '/fragments/editor/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'title=Same+Title&body=New+body&parentId=f1&baseUpdatedTime=1000&currentFolderId=f1',
});
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('Saved'));
assert.ok(!res.body.includes('id="nav-panel"'), 'should NOT include nav panel OOB swap');
assert.ok(res.body.includes('id="editor-sync-state" hx-swap-oob="outerHTML"'));
assert.ok(res.body.includes('name="baseUpdatedTime" value="2000"'));
});
});
test('PUT /fragments/editor/:id preserves every printable ASCII character in body', async () => {
const savedBodies = [];
const existing = { id: 'n1', title: 'T', body: '', parentId: 'f1', createdTime: 1000, updatedTime: 1000 };
let callCount = 0;
await withServer({
itemService: {
noteByUserIdAndJopId: async () => { callCount += 1; return callCount % 2 === 1 ? existing : { ...existing, updatedTime: 2000 }; },
noteHeadersByUserId: async (_uid, options = {}) => options.deleted === 'only' ? [] : [{ id: 'n1', title: 'T', parentId: 'f1', updatedTime: 2000, deletedTime: 0 }],
foldersByUserId: async () => [{ id: 'f1', title: 'F', parentId: '' }],
},
itemWriteService: {
updateNote: async (_sid, _ex, updates) => { savedBodies.push(updates.body); return { id: 'n1' }; },
},
}, async port => {
for (let code = 32; code <= 126; code++) {
callCount = 0;
const ch = String.fromCharCode(code);
const bodyText = `before${ch}after`;
const res = await request(port, {
path: '/fragments/editor/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: `title=T&body=${encodeURIComponent(bodyText)}&baseUpdatedTime=1000&currentFolderId=f1`,
});
assert.equal(res.statusCode, 200, `status for char ${code} (${ch})`);
const saved = savedBodies[savedBodies.length - 1];
assert.equal(saved, bodyText, `body mismatch for char ${code} (${JSON.stringify(ch)}): got ${JSON.stringify(saved)}`);
}
});
});
test('PUT /fragments/editor/:id preserves space-only and space-leading body lines', async () => {
const savedBodies = [];
const existing = { id: 'n1', title: 'T', body: '', parentId: 'f1', createdTime: 1000, updatedTime: 1000 };
let callCount = 0;
await withServer({
itemService: {
noteByUserIdAndJopId: async () => { callCount += 1; return callCount % 2 === 1 ? existing : { ...existing, updatedTime: 2000 }; },
noteHeadersByUserId: async (_uid, options = {}) => options.deleted === 'only' ? [] : [{ id: 'n1', title: 'T', parentId: 'f1', updatedTime: 2000, deletedTime: 0 }],
foldersByUserId: async () => [{ id: 'f1', title: 'F', parentId: '' }],
},
itemWriteService: {
updateNote: async (_sid, _ex, updates) => { savedBodies.push(updates.body); return { id: 'n1' }; },
},
}, async port => {
const cases = [
{ label: 'single space', body: ' ' },
{ label: 'multiple spaces', body: ' ' },
{ label: 'space then text', body: ' hello' },
{ label: 'blank line with spaces', body: 'line one\n \nline three' },
{ label: 'trailing spaces on line', body: 'hello \nworld' },
{ label: 'leading spaces on line', body: ' hello\nworld' },
{ label: 'only spaces on multiple lines', body: ' \n \n ' },
{ label: 'tab character', body: '\there' },
{ label: 'space before newline', body: 'a \nb' },
{ label: 'spaces between blank lines', body: 'a\n \n \nb' },
];
for (const { label, body: bodyText } of cases) {
callCount = 0;
const res = await request(port, {
path: '/fragments/editor/n1',
method: 'PUT',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: `title=T&body=${encodeURIComponent(bodyText)}&baseUpdatedTime=1000&currentFolderId=f1`,
});
assert.equal(res.statusCode, 200, `status for "${label}"`);
const saved = savedBodies[savedBodies.length - 1];
assert.equal(saved, bodyText, `body mismatch for "${label}": expected ${JSON.stringify(bodyText)}, got ${JSON.stringify(saved)}`);
}
});
});
// --- Admin routes ---
const makeAdminMocks = (overrides = {}) => ({
sessionService: {
userBySessionId: async sessionId => {
if (sessionId === 'admin-session') return { id: 'admin-1', email: 'admin@example.com', sessionId, isAdmin: true };
if (sessionId === 'test-session') return { id: 'user-1', email: 'user@example.com', sessionId, isAdmin: false };
return null;
},
},
adminService: {
listUsers: async () => [{ id: 'user-1', email: 'user@example.com', full_name: '', enabled: true, created_time: 0 }],
createUser: async (email, fullName, password) => ({ id: 'new-1', email, full_name: fullName }),
resetPassword: async () => {},
setEnabled: async () => {},
deleteUser: async () => {},
updateProfile: async () => ({}),
verifyPassword: async () => 'some-token',
changePassword: async () => {},
adminEmail: 'admin@example.com',
},
adminEmail: 'admin@example.com',
...overrides,
});
test('GET /settings shows admin tab for admin user', async () => {
const queries = [];
await withServer(makeAdminMocks({
database: {
query: async (sql, params = []) => {
queries.push({ sql, params });
if (sql.includes('server_version')) return { rows: [{ version: 'PostgreSQL 16.2', version_num: 160002 }] };
if (sql.includes("current_setting('default_toast_compression')")) return { rows: [{ current: 'pglz', available: ['pglz', 'lz4'] }] };
if (sql.includes('pg_column_compression(content)')) {
return {
rows: [
{ kind: 'notes', compression: 'pglz', row_count: '7', total_bytes: '4096' },
{ kind: 'attachments', compression: 'none', row_count: '2', total_bytes: '8192' },
],
};
}
return { rows: [] };
},
},
}), async port => {
const res = await request(port, {
path: '/settings',
headers: { Cookie: 'sessionId=admin-session' },
});
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('tab-admin'), 'should include admin tab panel');
assert.ok(res.body.includes('Create New User'), 'should include create user form');
assert.ok(res.body.includes('Allowed attempts per 15 minutes'));
assert.ok(res.body.includes('Database Compression'));
assert.ok(res.body.includes('Notes'));
assert.ok(res.body.includes('Attachments'));
assert.ok(res.body.includes('PostgreSQL 16.2'), 'should show pg version');
assert.ok(res.body.includes('<code>pglz</code>'));
assert.ok(res.body.includes('<code>none</code>'));
assert.ok(queries.some(q => q.sql.includes('server_version')));
assert.ok(queries.some(q => q.sql.includes('pg_column_compression(content)')));
});
});
test('POST /admin/security saves auth rate limit setting', async () => {
let saved = null;
await withServer(makeAdminMocks({
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 15 }),
saveSettings: async (_id, s) => s,
appSettings: async () => ({ authRateLimitAttempts: 20 }),
saveAppSettings: async s => { saved = s; return s; },
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
}), async port => {
const res = await request(port, {
path: '/admin/security',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'authRateLimitAttempts=35',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('saved=1'));
assert.deepEqual(saved, { authRateLimitAttempts: 35 });
});
});
test('POST /admin/db-compression updates default toast compression', async () => {
const queries = [];
await withServer(makeAdminMocks({
database: {
query: async (sql, params = []) => {
queries.push({ sql, params });
if (sql.includes('SELECT enumvals FROM pg_settings')) return { rows: [{ enumvals: ['pglz', 'lz4'] }] };
if (sql.includes('SELECT pg_reload_conf()')) return { rows: [{ pg_reload_conf: true }] };
return { rows: [] };
},
},
}), async port => {
const res = await request(port, {
path: '/admin/db-compression',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'defaultToastCompression=lz4',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('Database%20compression%20set%20to%20lz4%20for%20new%20items'));
assert.ok(queries.some(q => q.sql.includes("ALTER SYSTEM SET default_toast_compression = 'lz4'")));
assert.ok(queries.some(q => q.sql.includes('SELECT pg_reload_conf()')));
});
});
test('POST /admin/db-compression rejects unsupported mode', async () => {
const queries = [];
await withServer(makeAdminMocks({
database: {
query: async (sql, params = []) => {
queries.push({ sql, params });
if (sql.includes('SELECT enumvals FROM pg_settings')) return { rows: [{ enumvals: ['pglz', 'lz4'] }] };
return { rows: [] };
},
},
}), async port => {
const res = await request(port, {
path: '/admin/db-compression',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'defaultToastCompression=snappy',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('Unsupported%20compression%20mode'));
assert.ok(!queries.some(q => q.sql.includes('ALTER SYSTEM SET default_toast_compression')));
});
});
test('GET /settings does not show admin tab for non-admin user', async () => {
await withServer(makeAdminMocks(), async port => {
const res = await request(port, {
path: '/settings',
headers: { Cookie: 'sessionId=test-session' },
});
assert.equal(res.statusCode, 200);
assert.ok(!res.body.includes('tab-admin'), 'should not include admin tab panel');
});
});
test('POST /admin/users creates user and redirects', async () => {
let created = null;
await withServer(makeAdminMocks({
adminService: {
listUsers: async () => [],
createUser: async (email, fullName, password) => { created = { email, fullName, password }; return { id: 'new-1' }; },
updateProfile: async () => ({}),
verifyPassword: async () => null,
changePassword: async () => {},
adminEmail: 'admin@example.com',
},
}), async port => {
const res = await request(port, {
path: '/admin/users',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'email=new%40example.com&fullName=New+User&password=secret123',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('saved=1'));
assert.equal(created && created.email, 'new@example.com');
});
});
test('POST /admin/users redirects non-admin to /', async () => {
await withServer(makeAdminMocks(), async port => {
const res = await request(port, {
path: '/admin/users',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'email=bad%40example.com&password=secret123',
});
assert.equal(res.statusCode, 302);
assert.equal(res.headers.location, '/');
});
});
test('POST /admin/users/:id/password resets password', async () => {
let resetId = null;
await withServer(makeAdminMocks({
adminService: {
listUsers: async () => [],
createUser: async () => {},
resetPassword: async (userId) => { resetId = userId; },
setEnabled: async () => {},
deleteUser: async () => {},
updateProfile: async () => ({}),
verifyPassword: async () => null,
changePassword: async () => {},
adminEmail: 'admin@example.com',
},
}), async port => {
const res = await request(port, {
path: '/admin/users/user-1/password',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'password=newpass123',
});
assert.equal(res.statusCode, 302);
assert.equal(resetId, 'user-1');
});
});
test('POST /admin/users/:id/disable disables user', async () => {
let disabledId = null, disabledVal = null;
await withServer(makeAdminMocks({
adminService: {
listUsers: async () => [],
createUser: async () => {},
resetPassword: async () => {},
setEnabled: async (id, val) => { disabledId = id; disabledVal = val; },
deleteUser: async () => {},
updateProfile: async () => ({}),
verifyPassword: async () => null,
changePassword: async () => {},
adminEmail: 'admin@example.com',
},
}), async port => {
const res = await request(port, {
path: '/admin/users/user-1/disable',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session' },
});
assert.equal(res.statusCode, 302);
assert.equal(disabledId, 'user-1');
assert.equal(disabledVal, false);
});
});
test('POST /settings/profile updates profile', async () => {
let dbUpdated = false;
await withServer(makeAdminMocks({
adminService: {
listUsers: async () => [],
createUser: async () => {},
resetPassword: async () => {},
setEnabled: async () => {},
deleteUser: async () => {},
updateProfile: async () => {},
verifyPassword: async () => null,
changePassword: async () => {},
adminEmail: 'admin@example.com',
},
database: {
query: async (sql, params) => {
if (sql.includes('UPDATE users SET full_name')) {
dbUpdated = true;
assert.equal(params[0], 'Test User');
return { rows: [] };
}
return { rows: [{ session_id: 'test-session', id: 'user1', email: 'user@example.com', full_name: '', is_admin: 1, can_upload: 1, email_confirmed: 1, account_type: 0, created_time: Date.now(), updated_time: Date.now(), enabled: 1, session_created_time: Date.now() }] };
},
},
}), async port => {
const res = await request(port, {
path: '/settings/profile',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'fullName=Test+User&email=user%40example.com',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('saved=1'));
assert.ok(dbUpdated);
});
});
test('GET /fragments/folder-notes with __all_notes__ returns all notes', async () => {
await withServer({
itemService: {
noteHeadersByFolder: async (_uid, folderId) => folderId === '__all__' ? [
{ id: 'n1', title: 'Note 1', parentId: 'f1', updatedTime: 0 },
{ id: 'n2', title: 'Note 2', parentId: 'f2', updatedTime: 0 },
] : [],
},
}, async port => {
const res = await request(port, { path: '/fragments/folder-notes?folderId=__all_notes__' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('Note 1'));
assert.ok(res.body.includes('Note 2'));
});
});
test('GET /fragments/folder-notes shows lock icon for notes inside vault notebooks', async () => {
await withServer({
itemService: {
noteHeadersByFolder: async () => [{ id: 'n1', title: 'Vault Note', parentId: 'vault-1', updatedTime: 0, isEncrypted: false }],
folderNoteCountsByUserId: async () => new Map([['vault-1', 1], ['__all__', 1], ['__trash__', 0]]),
},
vaultService: {
getVaultFolderIdSet: async () => new Set(['vault-1']),
getVaultByFolderId: async () => null,
},
}, async port => {
const res = await request(port, { path: '/fragments/folder-notes?folderId=vault-1' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('note-lock-icon'));
assert.ok(res.body.includes('data-vault-id="vault-1"'));
});
});
// --- Health check ---
test('GET /health returns ok', async () => {
await withServer({}, async port => {
const res = await request(port, { path: '/health', headers: {} });
assert.equal(res.statusCode, 200);
assert.equal(res.body, 'ok');
});
});
// --- Settings security ---
test('POST /settings/security saves auto-logout settings', async () => {
let saved = null;
await withServer({
settingsService: {
settingsByUserId: async () => ({ noteFontSize: 15 }),
saveSettings: async (_id, s) => { saved = s; return s; },
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
}, async port => {
const res = await request(port, {
path: '/settings/security',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'autoLogout=true&autoLogoutMinutes=30',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('tab=security'));
assert.equal(saved.autoLogout, 'true');
});
});
// --- Settings password ---
test('POST /settings/password blocks docker admin', async () => {
await withServer(makeAdminMocks(), async port => {
const res = await request(port, {
path: '/settings/password',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'currentPassword=old&newPassword=new&confirmPassword=new',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('managed+via+deployment'));
});
});
test('POST /settings/password rejects missing current password', async () => {
await withServer(makeAdminMocks({
sessionService: {
userBySessionId: async sessionId => sessionId === 'test-session' ? { id: 'user-1', email: 'user@example.com', sessionId, isAdmin: false } : null,
},
}), async port => {
const res = await request(port, {
path: '/settings/password',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'newPassword=abc&confirmPassword=abc',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('Current+password+required'));
});
});
test('POST /settings/password rejects mismatched passwords', async () => {
await withServer(makeAdminMocks({
sessionService: {
userBySessionId: async sessionId => sessionId === 'test-session' ? { id: 'user-1', email: 'user@example.com', sessionId, isAdmin: false } : null,
},
}), async port => {
const res = await request(port, {
path: '/settings/password',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'currentPassword=old&newPassword=abc&confirmPassword=xyz',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('Passwords+do+not+match'));
});
});
// --- MFA settings routes ---
test('POST /settings/mfa/setup generates seed and redirects', async () => {
await withServer({
settingsService: {
settingsByUserId: async () => ({}),
saveSettings: async (_id, s) => s,
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
}, async port => {
const res = await request(port, {
path: '/settings/mfa/setup',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: '',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('mfaSetup='));
});
});
test('POST /settings/mfa/setup rejects when already enabled', async () => {
await withServer({
settingsService: {
settingsByUserId: async () => ({}),
saveSettings: async (_id, s) => s,
getTotpSeed: async () => 'EXISTINGSEED',
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
}, async port => {
const res = await request(port, {
path: '/settings/mfa/setup',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: '',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('MFA+already+enabled'));
});
});
test('POST /settings/mfa/verify saves seed on valid code', async () => {
const { hotp, base32Decode } = require('../app/auth/mfaService');
const seed = 'JBSWY3DPEHPK3PXP';
const now = Date.now();
const code = hotp(base32Decode(seed), Math.floor(now / 30000));
let savedSeed = null;
await withServer({
settingsService: {
settingsByUserId: async () => ({}),
saveSettings: async (_id, s) => s,
getTotpSeed: async () => null,
setTotpSeed: async (_id, s) => { savedSeed = s; return true; },
clearTotpSeed: async () => true,
},
}, async port => {
const res = await request(port, {
path: '/settings/mfa/verify',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: `seed=${seed}&totp=${code}`,
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('mfaEnabled=1'));
assert.equal(savedSeed, seed);
});
});
test('POST /settings/mfa/verify rejects invalid code', async () => {
await withServer({
settingsService: {
settingsByUserId: async () => ({}),
saveSettings: async (_id, s) => s,
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
}, async port => {
const res = await request(port, {
path: '/settings/mfa/verify',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'seed=JBSWY3DPEHPK3PXP&totp=000000',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('Invalid+code'));
});
});
test('POST /settings/mfa/cancel redirects to settings', async () => {
await withServer({}, async port => {
const res = await request(port, {
path: '/settings/mfa/cancel',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: '',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('tab=security'));
});
});
test('POST /settings/mfa/disable clears seed on valid code', async () => {
const { hotp, base32Decode } = require('../app/auth/mfaService');
const seed = 'JBSWY3DPEHPK3PXP';
const now = Date.now();
const code = hotp(base32Decode(seed), Math.floor(now / 30000));
let cleared = false;
await withServer({
settingsService: {
settingsByUserId: async () => ({}),
saveSettings: async (_id, s) => s,
getTotpSeed: async () => seed,
setTotpSeed: async () => true,
clearTotpSeed: async () => { cleared = true; return true; },
},
}, async port => {
const res = await request(port, {
path: '/settings/mfa/disable',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: `totp=${code}`,
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('saved=1'));
assert.ok(cleared);
});
});
test('POST /settings/mfa/disable rejects invalid code', async () => {
await withServer({
settingsService: {
settingsByUserId: async () => ({}),
saveSettings: async (_id, s) => s,
getTotpSeed: async () => 'JBSWY3DPEHPK3PXP',
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
}, async port => {
const res = await request(port, {
path: '/settings/mfa/disable',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'totp=000000',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('Invalid+code'));
});
});
// --- Admin enable / delete / MFA ---
test('POST /admin/users/:id/enable enables user', async () => {
let enabledId = null, enabledVal = null;
await withServer(makeAdminMocks({
adminService: {
listUsers: async () => [],
createUser: async () => {},
resetPassword: async () => {},
setEnabled: async (id, val) => { enabledId = id; enabledVal = val; },
deleteUser: async () => {},
updateProfile: async () => ({}),
verifyPassword: async () => null,
changePassword: async () => {},
adminEmail: 'admin@example.com',
},
}), async port => {
const res = await request(port, {
path: '/admin/users/user-1/enable',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session' },
});
assert.equal(res.statusCode, 302);
assert.equal(enabledId, 'user-1');
assert.equal(enabledVal, true);
});
});
test('POST /admin/users/:id/delete deletes user', async () => {
let deletedId = null;
await withServer(makeAdminMocks({
adminService: {
listUsers: async () => [],
createUser: async () => {},
resetPassword: async () => {},
setEnabled: async () => {},
deleteUser: async (id) => { deletedId = id; },
updateProfile: async () => ({}),
verifyPassword: async () => null,
changePassword: async () => {},
adminEmail: 'admin@example.com',
},
}), async port => {
const res = await request(port, {
path: '/admin/users/user-1/delete',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session' },
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('saved=1'));
assert.equal(deletedId, 'user-1');
});
});
test('POST /admin/users/:id/mfa/enable sets TOTP seed', async () => {
let seedUserId = null;
await withServer(makeAdminMocks({
settingsService: {
settingsByUserId: async () => ({}),
saveSettings: async (_id, s) => s,
getTotpSeed: async () => null,
setTotpSeed: async (id) => { seedUserId = id; return true; },
clearTotpSeed: async () => true,
},
}), async port => {
const res = await request(port, {
path: '/admin/users/user-1/mfa/enable',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session' },
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('saved=1'));
assert.equal(seedUserId, 'user-1');
});
});
test('POST /admin/users/:id/mfa/disable clears TOTP seed', async () => {
let clearedId = null;
await withServer(makeAdminMocks({
settingsService: {
settingsByUserId: async () => ({}),
saveSettings: async (_id, s) => s,
getTotpSeed: async () => 'SEED',
setTotpSeed: async () => true,
clearTotpSeed: async (id) => { clearedId = id; return true; },
},
}), async port => {
const res = await request(port, {
path: '/admin/users/user-1/mfa/disable',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session' },
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('saved=1'));
assert.equal(clearedId, 'user-1');
});
});
test('GET /settings shows backup section for admin when configured', async () => {
await withServer(makeAdminMocks({
backupService: {
isConfigured: () => true,
isBusy: () => false,
activeOperation: () => '',
listBackups: async () => [{ name: 'joplock-backup-2026.dump', createdTime: 0, size: 12 }],
startBackupJob: async () => ({}),
backupPath: async () => ({ path: __filename, size: 1, name: 'joplock-backup-2026.dump', createdTime: 0 }),
deleteBackup: async () => ({}),
startRestoreJob: async () => ({}),
currentStatus: () => ({ state: 'idle', type: '', message: '', error: '', stderrTail: '' }),
waitForIdle: async () => ({ state: 'idle' }),
},
}), async port => {
const res = await request(port, { path: '/settings', headers: { Cookie: 'sessionId=admin-session' } });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('Backup &amp; Restore'));
assert.ok(res.body.includes('joplock-backup-2026.dump'));
});
});
test('POST /admin/backups creates backup and redirects', async () => {
let created = null;
await withServer(makeAdminMocks({
backupService: {
isConfigured: () => true,
isBusy: () => false,
activeOperation: () => '',
listBackups: async () => [],
startBackupJob: async options => { created = options; return {}; },
backupPath: async () => ({ path: __filename, size: 1, name: 'x.dump', createdTime: 0 }),
deleteBackup: async () => ({}),
startRestoreJob: async () => ({}),
currentStatus: () => ({ state: 'idle', type: '', message: '', error: '', stderrTail: '' }),
waitForIdle: async () => ({ state: 'idle' }),
},
}), async port => {
const res = await request(port, { path: '/admin/backups', method: 'POST', headers: { Cookie: 'sessionId=admin-session', 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'compressionMode=zstd' });
assert.equal(res.statusCode, 302);
assert.deepEqual(created, { mode: 'zstd' });
assert.ok(res.headers.location.includes('Backup+started'));
});
});
test('POST /admin/backups/:name/delete deletes backup and redirects', async () => {
let deleted = '';
await withServer(makeAdminMocks({
backupService: {
isConfigured: () => true,
isBusy: () => false,
activeOperation: () => '',
listBackups: async () => [],
startBackupJob: async () => ({}),
backupPath: async () => ({ path: __filename, size: 1, name: 'x.dump', createdTime: 0 }),
deleteBackup: async fileName => { deleted = fileName; return {}; },
startRestoreJob: async () => ({}),
currentStatus: () => ({ state: 'idle', type: '', message: '', error: '', stderrTail: '' }),
waitForIdle: async () => ({ state: 'idle' }),
},
}), async port => {
const res = await request(port, {
path: '/admin/backups/joplock-backup-2026.dump/delete',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session' },
});
assert.equal(res.statusCode, 302);
assert.equal(deleted, 'joplock-backup-2026.dump');
assert.ok(res.headers.location.includes('Backup+deleted'));
});
});
test('POST /admin/restore requires typed confirmation', async () => {
await withServer(makeAdminMocks(), async port => {
const res = await request(port, {
path: '/admin/restore',
method: 'POST',
headers: { Cookie: 'sessionId=admin-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'backupName=joplock-backup.dump&confirm=nope',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('Type+RESTORE+to+confirm'));
});
});
test('recovery login and backup flow works without normal Joplin auth', async () => {
let issuedToken = '';
let validatedToken = '';
let created = null;
await withServer({
sessionService: {
userBySessionId: async () => null,
touchSession: async () => {},
getLastSeen: async () => null,
deleteSession: async () => {},
},
recoveryService: {
isEnabled: () => true,
createSession: password => {
if (password !== 'secret') return '';
issuedToken = 'recovery-token';
return issuedToken;
},
validateSession: token => {
validatedToken = token;
return token === 'recovery-token';
},
endSession: () => {},
},
backupService: {
isConfigured: () => true,
isBusy: () => false,
activeOperation: () => '',
listBackups: async () => [{ name: 'joplock-backup.dump', createdTime: 0, size: 4 }],
startBackupJob: async options => { created = options; return {}; },
backupPath: async () => ({ path: __filename, size: 1, name: 'joplock-backup.dump', createdTime: 0 }),
startRestoreJob: async () => ({}),
currentStatus: () => ({ state: 'idle', type: '', message: '', error: '', stderrTail: '' }),
waitForIdle: async () => ({ state: 'idle' }),
},
}, async port => {
const login = await request(port, {
path: '/recovery/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'password=secret',
});
assert.equal(login.statusCode, 302);
assert.ok(String(login.headers['set-cookie']).includes('joplockRecoverySession=recovery-token'));
const res = await request(port, {
path: '/recovery/backups',
method: 'POST',
headers: { Cookie: 'joplockRecoverySession=recovery-token', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'compressionMode=fast',
});
assert.equal(res.statusCode, 302);
assert.deepEqual(created, { mode: 'fast' });
assert.equal(validatedToken, 'recovery-token');
assert.ok(res.headers.location.includes('Backup+started'));
});
});
test('recovery login returns 429 after repeated invalid passwords', async () => {
await withServer({
rateLimitService: createRateLimitService(),
settingsService: {
appSettings: async () => ({ authRateLimitAttempts: 2 }),
settingsByUserId: async () => ({}),
saveSettings: async (_userId, settings) => settings,
saveAppSettings: async settings => settings,
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
recoveryService: {
isEnabled: () => true,
createSession: password => password === 'secret' ? 'recovery-token' : '',
validateSession: token => token === 'recovery-token',
endSession: () => {},
},
backupService: {
isConfigured: () => true,
isBusy: () => false,
activeOperation: () => '',
listBackups: async () => [],
startBackupJob: async () => ({}),
backupPath: async () => ({ path: __filename, size: 1, name: 'joplock-backup.dump', createdTime: 0 }),
startRestoreJob: async () => ({}),
currentStatus: () => ({ state: 'idle', type: '', message: '', error: '', stderrTail: '' }),
waitForIdle: async () => ({ state: 'idle' }),
},
}, async port => {
for (let attempt = 1; attempt <= 2; attempt += 1) {
const res = await request(port, {
path: '/recovery/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.40' },
body: 'password=wrong',
});
assert.equal(res.statusCode, 302);
assert.ok(res.headers.location.includes('Invalid+recovery+password'));
}
const blocked = await request(port, {
path: '/recovery/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.40' },
body: 'password=wrong',
});
assert.equal(blocked.statusCode, 429);
assert.equal(blocked.headers['retry-after'], '900');
assert.ok(blocked.body.includes('Too many recovery login attempts. Try again later.'));
});
});
test('recovery login clears failure streak after successful password', async () => {
await withServer({
rateLimitService: createRateLimitService(),
settingsService: {
appSettings: async () => ({ authRateLimitAttempts: 2 }),
settingsByUserId: async () => ({}),
saveSettings: async (_userId, settings) => settings,
saveAppSettings: async settings => settings,
getTotpSeed: async () => null,
setTotpSeed: async () => true,
clearTotpSeed: async () => true,
},
recoveryService: {
isEnabled: () => true,
createSession: password => password === 'secret' ? 'recovery-token' : '',
validateSession: token => token === 'recovery-token',
endSession: () => {},
},
backupService: {
isConfigured: () => true,
isBusy: () => false,
activeOperation: () => '',
listBackups: async () => [],
startBackupJob: async () => ({}),
backupPath: async () => ({ path: __filename, size: 1, name: 'joplock-backup.dump', createdTime: 0 }),
startRestoreJob: async () => ({}),
currentStatus: () => ({ state: 'idle', type: '', message: '', error: '', stderrTail: '' }),
waitForIdle: async () => ({ state: 'idle' }),
},
}, async port => {
const firstFailure = await request(port, {
path: '/recovery/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.41' },
body: 'password=wrong',
});
assert.equal(firstFailure.statusCode, 302);
const success = await request(port, {
path: '/recovery/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.41' },
body: 'password=secret',
});
assert.equal(success.statusCode, 302);
assert.ok(String(success.headers['set-cookie']).includes('joplockRecoverySession=recovery-token'));
const secondFailure = await request(port, {
path: '/recovery/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.41' },
body: 'password=wrong-again',
});
assert.equal(secondFailure.statusCode, 302);
const thirdFailure = await request(port, {
path: '/recovery/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.41' },
body: 'password=wrong-final',
});
assert.equal(thirdFailure.statusCode, 302);
const blocked = await request(port, {
path: '/recovery/login',
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Forwarded-For': '198.51.100.41' },
body: 'password=wrong-blocked',
});
assert.equal(blocked.statusCode, 429);
});
});
test('failed restore keeps maintenance mode active and blocks normal routes', async () => {
let restoreCalled = false;
let jobState = 'idle';
await withServer({
recoveryService: {
isEnabled: () => true,
createSession: () => '',
validateSession: token => token === 'recovery-token',
endSession: () => {},
},
backupService: {
isConfigured: () => true,
isBusy: () => false,
activeOperation: () => '',
listBackups: async () => [{ name: 'joplock-backup.dump', createdTime: 0, size: 4 }],
startBackupJob: async () => ({}),
backupPath: async () => ({ path: __filename, size: 1, name: 'joplock-backup.dump', createdTime: 0 }),
startRestoreJob: async () => { restoreCalled = true; jobState = 'failed'; return {}; },
currentStatus: () => ({ state: jobState, type: 'restore', message: jobState === 'failed' ? 'Restore failed' : 'Restore running', error: jobState === 'failed' ? 'restore failed' : '', stderrTail: '' }),
waitForIdle: async () => ({ state: jobState }),
},
}, async port => {
const restore = await request(port, {
path: '/recovery/restore',
method: 'POST',
headers: { Cookie: 'joplockRecoverySession=recovery-token', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'backupName=joplock-backup.dump&confirm=RESTORE',
});
assert.equal(restore.statusCode, 302);
assert.equal(restoreCalled, true);
assert.ok(restore.headers.location.includes('Restore+started'));
const blocked = await request(port, { path: '/', headers: { Cookie: 'sessionId=test-session' } });
assert.equal(blocked.statusCode, 503);
assert.ok(blocked.body.includes('maintenance mode'));
const recovery = await request(port, { path: '/recovery', headers: { Cookie: 'joplockRecoverySession=recovery-token' } });
assert.equal(recovery.statusCode, 200);
});
});
// --- History routes ---
test('GET /fragments/history/:noteId returns history modal', async () => {
await withServer({
historyService: {
saveSnapshot: async () => {},
listSnapshots: async (noteId) => [{ id: 's1', noteId, savedTime: Date.now(), title: 'Test' }],
getSnapshot: async () => null,
},
}, async port => {
const res = await request(port, { path: '/fragments/history/n1' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('data-snapshot-id="s1"'));
assert.ok(res.body.includes('history-list'));
});
});
test('GET /fragments/history-snapshot/:id returns snapshot preview', async () => {
await withServer({
historyService: {
saveSnapshot: async () => {},
listSnapshots: async () => [],
getSnapshot: async (id) => id === 's1' ? { id: 's1', body: 'Snapshot body' } : null,
},
}, async port => {
const res = await request(port, { path: '/fragments/history-snapshot/s1' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('Snapshot body'));
});
});
test('GET /fragments/history-snapshot/:id returns 404 for missing snapshot', async () => {
await withServer({}, async port => {
const res = await request(port, { path: '/fragments/history-snapshot/missing' });
assert.equal(res.statusCode, 404);
});
});
test('POST /fragments/history/:noteId/restore/:snapshotId rejects plaintext restore inside vault', async () => {
let updated = false;
await withServer({
historyService: {
saveSnapshot: async () => {},
listSnapshots: async () => [],
getSnapshot: async id => id === 's1' ? { id: 's1', noteId: 'n1', title: 'Secret', body: 'plain snapshot body' } : null,
},
itemService: {
noteByUserIdAndJopId: async () => ({ id: 'n1', title: 'Secret', body: 'cipher', parentId: 'vault-1', createdTime: 1000, updatedTime: 1000 }),
},
itemWriteService: {
updateNote: async () => { updated = true; return { id: 'n1' }; },
},
vaultService: {
getVaultByFolderId: async (_uid, folderId) => folderId === 'vault-1' ? { folderId: 'vault-1' } : null,
getVaultFolderIdSet: async () => new Set(['vault-1']),
},
}, async port => {
const res = await request(port, {
path: '/fragments/history/n1/restore/s1',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'currentFolderId=vault-1',
});
assert.equal(res.statusCode, 400);
assert.equal(updated, false);
assert.ok(res.body.includes('Vault notes must be saved encrypted'));
});
});
// --- Folder delete ---
test('DELETE /fragments/folders/:id deletes folder and returns nav', async () => {
const moved = [];
let createdFolder = null;
let deletedId = null;
await withServer({
itemService: {
folderByUserIdAndJopId: async (_uid, id) => id === 'f1' ? { id: 'f1', title: 'Work', parentId: '' } : null,
foldersByUserId: async () => [{ id: 'f1', title: 'Work', parentId: '' }],
notesByUserId: async (_uid, options = {}) => options.folderId === 'f1' ? [
{ id: 'n1', title: 'Note 1', body: 'A', parentId: 'f1', createdTime: 1 },
] : [],
},
itemWriteService: {
createFolder: async (_sid, folder) => { createdFolder = folder; return { id: 'general-id' }; },
updateNote: async (_sid, existing, updates) => { moved.push({ id: existing.id, parentId: updates.parentId }); return { id: existing.id }; },
deleteFolder: async (_sess, id) => { deletedId = id; },
updateFolder: async () => ({}),
createNote: async () => ({}),
deleteNote: async () => {},
trashNote: async () => {},
restoreNote: async () => {},
createResource: async () => ({}),
},
}, async port => {
const res = await request(port, {
path: '/fragments/folders/f1',
method: 'DELETE',
});
assert.equal(res.statusCode, 200);
assert.deepEqual(createdFolder, { title: 'General', parentId: '' });
assert.deepEqual(moved, [{ id: 'n1', parentId: 'general-id' }]);
assert.equal(deletedId, 'f1');
});
});
// --- Mobile routes ---
test('GET /fragments/mobile/folders returns mobile folder list', async () => {
await withServer({
itemService: {
foldersByUserId: async () => [{ id: 'f1', title: 'Work' }],
folderNoteCountsByUserId: async () => new Map([['__all__', 3], ['f1', 2], ['__trash__', 0]]),
},
}, async port => {
const res = await request(port, { path: '/fragments/mobile/folders' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('All Notes'));
assert.ok(res.body.includes('Work'));
});
});
test('GET /fragments/mobile/folders shows vault lock button for vault notebooks', async () => {
await withServer({
itemService: {
foldersByUserId: async () => [{ id: 'vault-1', title: 'Vault 1' }],
folderNoteCountsByUserId: async () => new Map([['__all__', 3], ['vault-1', 2], ['__trash__', 0]]),
},
vaultService: {
getVaultFolderIdSet: async () => new Set(['vault-1']),
},
}, async port => {
const res = await request(port, { path: '/fragments/mobile/folders' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('mobile-vault-folder-lock'));
assert.ok(res.body.includes('data-folder-id="vault-1"'));
});
});
test('GET /fragments/mobile/notes returns mobile note list', async () => {
await withServer({
itemService: {
noteHeadersByFolder: async () => [{ id: 'n1', title: 'Note 1', parentId: 'f1' }],
folderNoteCountsByUserId: async () => new Map([['__all__', 1], ['f1', 1], ['__trash__', 0]]),
},
}, async port => {
const res = await request(port, { path: '/fragments/mobile/notes?folderId=f1' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('Note 1'));
});
});
test('GET /fragments/mobile/notes shows lock icon for notes inside vault notebooks', async () => {
await withServer({
itemService: {
noteHeadersByFolder: async () => [{ id: 'n1', title: 'Vault Note', parentId: 'vault-1', isEncrypted: false }],
folderNoteCountsByUserId: async () => new Map([['__all__', 1], ['vault-1', 1], ['__trash__', 0]]),
},
vaultService: {
getVaultFolderIdSet: async () => new Set(['vault-1']),
getVaultByFolderId: async () => null,
},
}, async port => {
const res = await request(port, { path: '/fragments/mobile/notes?folderId=vault-1' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('note-lock-icon'));
assert.ok(res.body.includes('data-vault-id="vault-1"'));
});
});
test('POST /fragments/mobile/notes/new creates note and returns X-Mobile-Note-Id', async () => {
await withServer({
itemService: {
foldersByUserId: async () => [{ id: 'f1', title: 'General' }],
noteHeadersByFolder: async () => [{ id: 'note-created', title: 'Untitled note', parentId: 'f1' }],
folderNoteCountsByUserId: async () => new Map([['__all__', 1], ['f1', 1], ['__trash__', 0]]),
},
itemWriteService: {
createNote: async () => ({ id: 'note-created' }),
createFolder: async () => ({}),
deleteFolder: async () => {},
updateFolder: async () => ({}),
deleteNote: async () => {},
trashNote: async () => {},
restoreNote: async () => {},
updateNote: async () => ({}),
createResource: async () => ({}),
},
}, async port => {
const res = await request(port, {
path: '/fragments/mobile/notes/new',
method: 'POST',
headers: { Cookie: 'sessionId=test-session', 'Content-Type': 'application/x-www-form-urlencoded' },
body: 'folderId=__all__',
});
assert.equal(res.statusCode, 200);
assert.equal(res.headers['x-mobile-note-id'], 'note-created');
});
});
test('GET /fragments/mobile/search returns search results', async () => {
await withServer({
itemService: {
searchNotes: async () => [{ id: 'n1', title: 'Found', parentId: 'f1' }],
},
}, async port => {
const res = await request(port, { path: '/fragments/mobile/search?q=test' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('Found'));
});
});
test('GET /fragments/mobile/search shows lock icon for notes inside vault notebooks', async () => {
await withServer({
itemService: {
searchNotes: async () => [{ id: 'n1', title: 'Vault Found', parentId: 'vault-1', isEncrypted: false }],
},
vaultService: {
getVaultFolderIdSet: async () => new Set(['vault-1']),
getVaultByFolderId: async () => null,
},
}, async port => {
const res = await request(port, { path: '/fragments/mobile/search?q=vault' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('note-lock-icon'));
assert.ok(res.body.includes('data-vault-id="vault-1"'));
});
});
test('GET /fragments/mobile/search returns empty for no query', async () => {
await withServer({}, async port => {
const res = await request(port, { path: '/fragments/mobile/search?q=' });
assert.equal(res.statusCode, 200);
assert.ok(res.body.includes('No results'));
});
});
Reference in a new issue View git blame Copy permalink