Trek_CN/server/tests/unit
jubnl 20bf9c2312
security: close SEC-H4/H6 gaps from second-pass review
- SEC-H6: remove conditional audience check in mcp/index.ts — audience is
  now always enforced against the mcpResource URL. Add migration to revoke
  pre-existing oauth_tokens with audience=NULL so dead rows don't linger.
- SEC-H4: validate doc.issuer against config.issuer inside discover() to
  prevent a MITM'd discovery doc from supplying a crafted expected issuer.
  verifyIdToken caller now passes config.issuer as ground truth, not
  doc.issuer.
- tests: cover three new OIDC callback failure paths (no_id_token,
  id_token_invalid, subject_mismatch) and two idempotency caps (key length
  >128 chars returns 400, body >256 KiB skips caching).
2026-04-20 21:35:30 +02:00
..
mcp fix(mcp): add RFC 9728 PRM, RFC 8707 audience binding, and collab sub-feature gating 2026-04-20 07:34:38 +02:00
middleware security: close SEC-H4/H6 gaps from second-pass review 2026-04-20 21:35:30 +02:00
services test(notifications): bump event_types count to 9 after adding todo_due 2026-04-20 17:38:25 +02:00
systemNotices feat(system-notices): replace expiresAt with [minVersion, maxVersion) version gate 2026-04-17 20:03:23 +02:00
utils test: expand test suite to 87.3% backend coverage 2026-04-06 20:08:30 +02:00
scheduler.test.ts Add comprehensive backend test suite (#339) 2026-04-03 13:17:53 +02:00