fix(platform-links): prevent duplicate displayOrder via unique constraint and retry

apps/backend/prisma/migrations/20260612000000_platform_link_unique_display_order/migration.sql

@@ -0,0 +1,2 @@
+-- Add unique constraint on (user_id, display_order) to prevent duplicate display orders per user
+CREATE UNIQUE INDEX "platform_links_user_id_display_order_key" ON "platform_links"("user_id", "display_order");

apps/backend/prisma/schema.prisma

@@ -92,6 +92,7 @@ model PlatformLink {
   user      User       @relation(fields: [userId], references: [id], onDelete: Cascade)
   cardLinks CardLink[]
 
+  @@unique([userId, displayOrder])
   @@map("platform_links")
 }
 

apps/backend/src/__tests__/analytics.test.ts

@@ -1,3 +1,6 @@
+import Fastify, {
+  type FastifyInstance,
+} from 'fastify';
 import {
   describe,
   it,
@@ -7,13 +10,11 @@
   vi,
 } from 'vitest';
 
-import Fastify, {
-  type FastifyInstance,
-} from 'fastify';
+
+import { analyticsRoutes } from '../routes/analytics';
 
 import type { PrismaClient } from '@prisma/client';
 
-import { analyticsRoutes } from '../routes/analytics';
 
 // ─── Shared mock data ────────────────────────────────────────────────────────
 
@@ -34,7 +35,7 @@
 
 // ─── App factory ─────────────────────────────────────────────────────────────
 
-let mockJwtVerify = vi.fn();
+const mockJwtVerify = vi.fn();
 
 async function buildApp(): Promise<FastifyInstance> {
   const app = Fastify({
@@ -188,7 +189,7 @@
 
             expect(
               res.statusCode
             ).toBe(200);
 
             const body =
               res.json();

apps/backend/src/__tests__/auth.test.ts

@@ -0,0 +1,88 @@
+import cookie from '@fastify/cookie';
+import jwt from '@fastify/jwt';
+import Fastify from 'fastify';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
+import { authRoutes } from '../routes/auth.js';
+
+import type { PrismaClient } from '@prisma/client';
+
+const mockUser = {
+  id: 'user-123',
+  username: 'devcard-demo',
+};
+
+const prismaMock = {
+  user: {
+    findUnique: vi.fn(),
+  },
+};
+
+async function buildApp(nodeEnv: string) {
+  vi.stubEnv('NODE_ENV', nodeEnv);
+
+  const app = Fastify();
+  await app.register(jwt, { secret: 'test-secret' });
+  await app.register(cookie);
+  app.decorate('prisma', prismaMock as unknown as PrismaClient);
+  app.decorate('authenticate', async () => {});
+  await app.register(authRoutes, { prefix: '/auth' });
+  await app.ready();
+  return app;
+}
+
+describe('auth dev-login route registration', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });
+
+  it('registers /auth/dev-login outside production', async () => {
+    prismaMock.user.findUnique.mockResolvedValue(mockUser);
+    const app = await buildApp('development');
+
+    const res = await app.inject({
+      method: 'POST',
+      url: '/auth/dev-login',
+    });
+
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toHaveProperty('token');
+    expect(prismaMock.user.findUnique).toHaveBeenCalledWith({
+      where: { username: 'devcard-demo' },
+    });
+
+    await app.close();
+  });
+
+  it('does not register /auth/dev-login in production', async () => {
+    const app = await buildApp('production');
+
+    const res = await app.inject({
+      method: 'POST',
+      url: '/auth/dev-login',
+    });
+
+    expect(res.statusCode).toBe(404);
+    expect(prismaMock.user.findUnique).not.toHaveBeenCalled();
+
+    await app.close();
+  });
+
+  it('keeps other auth routes registered in production', async () => {
+    const app = await buildApp('production');
+
+    const res = await app.inject({
+      method: 'POST',
+      url: '/auth/logout',
+    });
+
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toMatchObject({ message: 'Logged out' });
+
+    await app.close();
+  });
+});

apps/backend/src/__tests__/cards.test.ts

@@ -52,7 +52,7 @@ function wireTransaction(): void {
   );
 }
 
-async function buildApp():Promise<FastifyInstance> {
+async function buildApp(): Promise<FastifyInstance> {
   const app = Fastify({ logger: false });
   app.decorate('prisma', mockPrisma as unknown as PrismaClient);
   app.decorate('authenticate', async (request: any) => {

apps/backend/src/__tests__/connect.test.ts

@@ -1,7 +1,10 @@
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import Fastify from 'fastify';
 import jwt from '@fastify/jwt';
+import Fastify from 'fastify';
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+
 import { connectRoutes } from '../routes/connect.js';
+import { encrypt } from '../utils/encryption.js';
+
 import type { PrismaClient } from '@prisma/client';
 
 process.env.PUBLIC_APP_URL = 'http://localhost:3000';
@@ -20,23 +23,24 @@ const mockRedis = {
 const mockPrisma = {
   oAuthToken: {
     findMany: vi.fn(),
+    findUnique: vi.fn(),
     upsert: vi.fn(),
     delete: vi.fn(),
   },
 };
 
 global.fetch = vi.fn();
 
-async function buildApp() {
+async function buildApp(): Promise<ReturnType<typeof Fastify>> {
   const app = Fastify();
   await app.register(jwt, { secret: 'test-secret' });
   app.decorate('prisma', mockPrisma as unknown as PrismaClient);
   app.decorate('redis', mockRedis as any);
-  
+
   app.decorate('authenticate', async (request: any, reply: any) => {
     try {
       await request.jwtVerify();
-    } catch (err) {
+    } catch {
       reply.status(401).send({ error: 'Unauthorized' });
     }
   });
@@ -46,6 +50,10 @@ async function buildApp() {
   return app;
 }
 
+function authHeader(app: any): { authorization: string } {
+  return { authorization: `Bearer ${app.jwt.sign({ id: 'user-1' })}` };
+}
+
 describe('GET /api/connect/github/callback', () => {
   beforeEach(() => {
     vi.clearAllMocks();
@@ -184,4 +192,119 @@ describe('GET /api/connect/github/callback', () => {
     expect(res.statusCode).toBe(302);
     expect(res.headers.location).toBe('http://localhost:3000/settings?error=connect_failed');
   });
+
+  it('returns cached discovery suggestions when Redis stores the response', async () => {
+    const cachedResponse = [{ platform: 'twitter', username: 'octocat', confidence: 'high' }];
+    mockRedis.get.mockResolvedValue(JSON.stringify(cachedResponse));
+
+    const app = await buildApp();
+    const res = await app.inject({
+      method: 'GET',
+      url: '/api/connect/github/autodiscover',
+      headers: authHeader(app),
+    });
+
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toEqual(cachedResponse);
+    expect(global.fetch).not.toHaveBeenCalled();
+  });
+
+  it('returns discovery suggestions and caches the result', async () => {
+    mockRedis.get.mockResolvedValue(null);
+    mockPrisma.oAuthToken.findUnique.mockResolvedValue({ accessToken: encrypt('github-access-token') });
+    (global.fetch as any).mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: vi.fn().mockResolvedValue({
+        twitter_username: 'octocat',
+        blog: 'https://dev.to/octocat',
+        company: 'GitHub',
+        bio: 'Developer',
+        html_url: 'https://github.com/octocat',
+      }),
+    });
+
+    const app = await buildApp();
+    const res = await app.inject({
+      method: 'GET',
+      url: '/api/connect/github/autodiscover',
+      headers: authHeader(app),
+    });
+
+    const expected = [
+      { platform: 'twitter', username: 'octocat', confidence: 'high' },
+      { platform: 'devto', username: 'octocat', confidence: 'low' },
+    ];
+
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toEqual(expected);
+    expect(mockRedis.set).toHaveBeenCalledWith('github:autodiscover:user-1', JSON.stringify(expected), 'EX', 3600);
+  });
+
+  it('returns unauthorized when GitHub API returns 401', async () => {
+    mockRedis.get.mockResolvedValue(null);
+    mockPrisma.oAuthToken.findUnique.mockResolvedValue({ accessToken: encrypt('github-access-token') });
+    (global.fetch as any).mockResolvedValue({
+      ok: false,
+      status: 401,
+      text: vi.fn().mockResolvedValue('Bad credentials'),
+    });
+
+    const app = await buildApp();
+    const res = await app.inject({
+      method: 'GET',
+      url: '/api/connect/github/autodiscover',
+      headers: authHeader(app),
+    });
+
+    expect(res.statusCode).toBe(401);
+    expect(res.json()).toEqual({ error: 'GitHub token expired or revoked', requiresAuth: true });
+    expect(mockRedis.del).toHaveBeenCalledWith('github:autodiscover:user-1');
+  });
+
+  it('returns an error when the GitHub follow token is missing', async () => {
+    mockRedis.get.mockResolvedValue(null);
+    mockPrisma.oAuthToken.findUnique.mockResolvedValue(null);
+
+    const app = await buildApp();
+    const res = await app.inject({
+      method: 'GET',
+      url: '/api/connect/github/autodiscover',
+      headers: authHeader(app),
+    });
+
+    expect(res.statusCode).toBe(400);
+    expect(res.json()).toEqual({ error: 'Not connected to GitHub. Please connect GitHub first.', requiresAuth: true });
+    expect(global.fetch).not.toHaveBeenCalled();
+  });
+
+  it('falls back to live GitHub discovery when Redis read fails', async () => {
+    mockRedis.get.mockRejectedValue(new Error('Redis unavailable'));
+    mockPrisma.oAuthToken.findUnique.mockResolvedValue({ accessToken: encrypt('github-access-token') });
+    (global.fetch as any).mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: vi.fn().mockResolvedValue({
+        twitter_username: 'octocat',
+        blog: 'https://npmjs.com/~octocat',
+        company: 'GitHub',
+        bio: 'Developer',
+        html_url: 'https://github.com/octocat',
+      }),
+    });
+
+    const app = await buildApp();
+    const res = await app.inject({
+      method: 'GET',
+      url: '/api/connect/github/autodiscover',
+      headers: authHeader(app),
+    });
+
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toEqual([
+      { platform: 'twitter', username: 'octocat', confidence: 'high' },
+      { platform: 'npm', username: 'octocat', confidence: 'low' },
+    ]);
+    expect(global.fetch).toHaveBeenCalled();
+  });
 });

apps/backend/src/__tests__/event.test.ts

@@ -1,8 +1,10 @@
+import Fastify, { type FastifyInstance } from 'fastify';
 import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
-import Fastify, { FastifyInstance } from 'fastify';
-import { PrismaClient } from '@prisma/client';
+
 import { eventRoutes } from '../routes/event';
 
+import type { PrismaClient } from '@prisma/client';
+
 // ─── Shared mock data ────────────────────────────────────────────────────────
 
 const MOCK_USER_ID = 'user-uuid-001';
@@ -64,7 +66,7 @@
 //
 // This mirrors the real app setup without touching a real DB or real JWT keys.
 
-let mockJwtVerify = vi.fn();
+const mockJwtVerify = vi.fn();
 
 async function buildApp(): Promise<FastifyInstance> {
   const app = Fastify({ logger: false });
@@ -93,7 +95,7 @@
 }
 
 /** Injects a POST /api/events request */
 async function createEvent(
   app: FastifyInstance,
   body: Record<string, unknown>,
   authenticated = true,
@@ -140,7 +142,7 @@
 
       const res = await createEvent(app, validBody);
 
       expect(res.statusCode).toBe(201);
       const body = res.json();
       expect(body.slug).toBe('devcard-conf-2025');
       expect(body.organizerId).toBe(MOCK_USER_ID);
@@ -165,34 +167,34 @@
 
     it('400 — rejects missing required fields (no dates, no location)', async () => {
       const res = await createEvent(app, { name: 'Hello World' }); // missing dates + location
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects missing location', async () => {
       const { location: _omit, ...bodyWithoutLocation } = validBody;
       const res = await createEvent(app, bodyWithoutLocation);
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects location shorter than 2 characters', async () => {
       const res = await createEvent(app, { ...validBody, location: 'A' });
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects location longer than 100 characters', async () => {
       const res = await createEvent(app, { ...validBody, location: 'A'.repeat(101) });
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects event name shorter than 3 characters', async () => {
       const res = await createEvent(app, { ...validBody, name: 'Hi' });
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects event name longer than 100 characters', async () => {
       const longName = 'A'.repeat(101);
       const res = await createEvent(app, { ...validBody, name: longName });
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects invalid date format', async () => {
@@ -200,7 +202,7 @@
         ...validBody,
         startDate: 'not-a-date',
       });
       expect(res.statusCode).toBe(400);
     });
 
     it('201 — generates a unique slug when the first candidate is taken', async () => {
@@ -216,7 +218,7 @@
 
       const res = await createEvent(app, validBody);
 
       expect(res.statusCode).toBe(201);
       // create was eventually called with a slug different from the base one
       const createdSlug: string = prismaMock.event.create.mock.calls[0][0].data.slug;
       expect(createdSlug).toMatch(/^devcard-conf-2025-[a-z0-9]+$/);
@@ -474,7 +476,7 @@
 
   describe('GET /api/events/:slug/attendees — paginated attendee list', () => {
     /** Builds a raw EventAttendee row as Prisma returns it (with nested user) */
     function makeAttendeeRow(
       profile: typeof MOCK_USER_PROFILE | typeof MOCK_OTHER_USER_PROFILE,
     ) {
       return {

apps/backend/src/__tests__/follow.test.ts

@@ -1,4 +1,4 @@
-import Fastify, { FastifyInstance } from 'fastify';
+import Fastify, { type FastifyInstance } from 'fastify';
 import { describe, expect, it, vi, beforeAll, beforeEach, afterAll } from 'vitest';
 
 import { followRoutes } from '../routes/follow.js';

apps/backend/src/__tests__/oauth-scope.test.ts

@@ -11,10 +11,12 @@
  * flow so the two records are independent and can never overwrite each other.
  */
 
-import { describe, it, expect, beforeEach, vi } from 'vitest';
 import Fastify from 'fastify';
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+
 import { connectRoutes } from '../routes/connect.js';
 import { followRoutes } from '../routes/follow.js';
+
 import type { PrismaClient } from '@prisma/client';
 
 // ── Mocks ─────────────────────────────────────────────────────────────────────
@@ -42,20 +44,20 @@
   return Buffer.from(JSON.stringify({ userId, nonce: 'test-nonce' })).toString('base64');
 }
 
 function buildConnectApp(mockPrisma: Partial<PrismaClient>) {
   const app = Fastify({ logger: false });
   app.decorate('prisma', mockPrisma as PrismaClient);
   app.decorate('authenticate', async (req: any) => { req.user = { id: USER_ID }; });
   app.register(connectRoutes, { prefix: '/api/connect' });
   return app.ready().then(() => app);
 }
 
 // ── Follow-route test harness ─────────────────────────────────────────────────
 
 function buildFollowApp(mockPrisma: Partial<PrismaClient>) {
   const app = Fastify({ logger: false });
   app.decorate('prisma', mockPrisma as PrismaClient);
   app.decorate('authenticate', async (req: any) => { req.user = { id: USER_ID }; });
   app.register(followRoutes, { prefix: '/api/follow' });
   return app.ready().then(() => app);
 }