feature: add JUnit 5 + Mockito unit tests for BankController#246
feature: add JUnit 5 + Mockito unit tests for BankController#246devin-ai-integration[bot] wants to merge 1 commit into
Conversation
Co-Authored-By: Matthew Guerra <matthew.guerra@cognition.ai>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
| @Test | ||
| void depositCallsServiceAndRedirectsToDashboard() { | ||
| authenticateAs(USERNAME); | ||
| BigDecimal amount = new BigDecimal("50"); | ||
| when(accountService.findAccountByUsername(USERNAME)).thenReturn(account); | ||
|
|
||
| String view = controller.deposit(amount); | ||
|
|
||
| assertEquals("redirect:/dashboard", view); | ||
| verify(accountService).findAccountByUsername(USERNAME); | ||
| verify(accountService).deposit(account, amount); | ||
| } |
There was a problem hiding this comment.
🚩 Tests don't cover negative/zero amount edge cases
The tests only cover happy-path amounts and the RuntimeException paths that the controller already handles. There are no tests for edge cases like negative amounts (new BigDecimal("-50")) or zero amounts (BigDecimal.ZERO) passed to deposit, withdraw, or transferAmount. The controller delegates directly to AccountService without validating these inputs, and AccountService itself only checks for insufficient funds — it doesn't reject negative or zero amounts. This means a user could deposit a negative amount and reduce their balance, or transfer a negative amount and effectively steal funds from the recipient. While this is a pre-existing issue in the production code (AccountService.java:51-62, AccountService.java:103-135), the new tests could have caught this gap.
Was this helpful? React with 👍 or 👎 to provide feedback.
There was a problem hiding this comment.
Thanks — agreed this is a real gap, but it's a validation gap in production code (AccountService accepts negative/zero amounts), not a defect in these tests. This PR's scope is mock-only unit tests for BankController, which delegates straight to AccountService without validating amounts, so the controller has no negative/zero-amount branch to assert against. Adding such tests would either (a) just document the current unsafe behavior, or (b) require changing production code, which is explicitly out of scope here (don't modify production code to satisfy a test).
I'm leaving the production behavior unchanged and flagging the underlying vulnerability separately. If you'd like, I can open a follow-up PR that adds amount validation in AccountService.deposit/withdraw/transferAmount plus the corresponding negative/zero-amount tests.
Summary
Adds
BankControllerTest— fast, isolated unit tests for every public handler inBankController, with no Spring context, DB, or network. Uses@ExtendWith(MockitoExtension.class),@Mock AccountService,@InjectMocks BankController. No production code changed; no new dependencies (uses existingspring-boot-starter-test+spring-security-test).Each handler is covered with a happy path plus the relevant error/branch paths:
dashboard/deposit/transactionHistory— resolve username fromSecurityContextHolder, callaccountService, assert view name + model attributes.registerAccount,withdraw,transferAmount— both the success redirect and theRuntimeExceptionbranch (assertserror/accountmodel attributes equal the exact exception message anddashboard/registerview).showRegistrationForm/login— static view names,verifyNoInteractions(accountService).SecurityContext-dependent tests set a real
SecurityContextImplwith aTestingAuthenticationTokenin a helper and clear it in@AfterEach. A real lightweightExtendedModelMapis used instead of mockingModel. AccountService interactions are asserted withverify(...)(andnever()where a branch should skip a call).Validation
./mvnw -Dtest=BankControllerTest test→Tests run: 12, Failures: 0, Errors: 0, Skipped: 0. Run in isolation to avoid the existing DB-backedcontextLoadstest.Link to Devin session: https://app.devin.ai/sessions/faf31d9c984d4946b2e6f20f49e1d231
Requested by: @matthewguerra-cog
Devin Review
fe4d323