test(server): port missing returnToken/env edge cases from #116

PR #120 rewrote auth.controller.spec.ts and environment.service.spec.ts in a leaner style but dropped several edge cases that PR #116 covered. Port the gaps so the server coverage matches the original review intent: - auth.controller: returnToken=false must behave like the omitted case (no token in the response body, cookie still set) — guards an `!== undefined`-style regression. - environment.getCorsAllowedOrigins: empty string -> [], single origin, and leading/trailing/duplicate commas with spaces -> trimmed list. - environment.isSwaggerEnabled: mixed-case "True" -> true; "false"/""/"1" -> false. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 18:49:32 +03:00
parent 9a36c44245
commit 08359dd93e
2 changed files with 55 additions and 2 deletions
--- a/apps/server/src/core/auth/auth.controller.spec.ts
+++ b/apps/server/src/core/auth/auth.controller.spec.ts
@@ -81,5 +81,25 @@ describe('AuthController', () => {
      expect(result).toBeUndefined();
      expect(res.setCookie).toHaveBeenCalledTimes(1);
    });
+
+    // Guards against an `!== undefined`-style bug: an explicit `false` must
+    // behave exactly like the omitted case (cookie set, no token in the body).
+    it('returns no body token but still sets the cookie when returnToken is false', async () => {
+      const { ctrl, res } = makeController();
+      const loginInput = {
+        email: 'a@b.com',
+        password: 'pw',
+        returnToken: false,
+      };
+
+      const result = await ctrl.login(
+        workspace as any,
+        res as any,
+        loginInput as any,
+      );
+
+      expect(result).toBeUndefined();
+      expect(res.setCookie).toHaveBeenCalledTimes(1);
+    });
  });
 });