fix(test): enhance rate limit test accuracy and mock integrity

teycir · teycir · commit 5905521dbd57 · 2025-12-22T19:30:10.000+01:00
- Updated mock database logic to prevent object mutations during UPDATE operations
- Ensured SELECT queries return copies of data to simulate snapshot behavior
- Refined test expectations for exact remaining counts instead of loose bounds
- Added clarifying comments to rate limit test steps for better readability

These changes improve the test's fidelity to actual database behavior, reducing potential flakiness and ensuring precise validation of rate limiting logic.
diff --git a/tests/unit/securityDB.test.ts b/tests/unit/securityDB.test.ts
@@ -12,13 +12,16 @@ describe('DB-backed Security', () => {
       prepare: (sql: string) => ({
         bind: (...args: any[]) => ({
           run: async () => {
-            if (sql.includes('INSERT INTO rate_limits')) {
+            if (sql.includes('INSERT OR REPLACE INTO rate_limits')) {
               store.set(args[0], { count: 1, reset_at: args[1] });
               return { success: true };
             }
             if (sql.includes('UPDATE rate_limits')) {
               const existing = store.get(args[0]);
-              if (existing) existing.count++;
+              if (existing) {
+                // Create new object to avoid mutation affecting the returned snapshot
+                store.set(args[0], { ...existing, count: existing.count + 1 });
+              }
               return { success: true };
             }
             if (sql.includes('INSERT INTO nonces')) {
@@ -29,8 +32,10 @@ describe('DB-backed Security', () => {
             return { success: true };
           },
           first: async () => {
-            if (sql.includes('rate_limits')) {
-              return store.get(args[0]) || null;
+            if (sql.includes('SELECT count, reset_at FROM rate_limits')) {
+              const data = store.get(args[0]);
+              // Return a copy to simulate database snapshot behavior
+              return data ? { ...data } : null;
             }
             return null;
           },
@@ -44,16 +49,20 @@ describe('DB-backed Security', () => {
   it('should enforce rate limits', async () => {
     const key = 'test-fingerprint';
     
+    // First request: INSERT count=1, remaining = limit - 1 = 2 - 1 = 1
     const r1 = await db.checkRateLimit(key, 2, 60000);
     expect(r1.allowed).toBe(true);
     expect(r1.remaining).toBe(1);
     
+    // Second request: existing.count=1, UPDATE to 2, remaining = limit - existing.count - 1 = 2 - 1 - 1 = 0
     const r2 = await db.checkRateLimit(key, 2, 60000);
     expect(r2.allowed).toBe(true);
-    expect(r2.remaining).toBeGreaterThanOrEqual(0);
+    expect(r2.remaining).toBe(0);
     
+    // Third request: existing.count=2, count >= limit (2 >= 2), blocked
     const r3 = await db.checkRateLimit(key, 2, 60000);
     expect(r3.allowed).toBe(false);
+    expect(r3.remaining).toBe(0);
   });
 
   it('should reset rate limits after window', async () => {
