Add routing unit tests and comprehensive integration tests (#39)

* Add comprehensive unit tests for actix routing logic

Extract inline permission and validation checks from route handlers into
named pure functions, then cover them with unit tests. Follows the
existing pattern established in boards/routes.rs.

- boards/mod.rs: extract check_cards_allowed / check_voting_allowed; 6 tests
- cards/mod.rs: extract check_card_owner; 4 tests
- cards/routes.rs: extract validate_card_text; 5 tests
- columns/routes.rs: extract check_board_owner_permission; 5 tests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Remove unnecessary extractions from purpose-built functions

boards/mod.rs and cards/mod.rs already had named functions
(assert_cards_allowed, assert_voting_allowed, assert_card_owner) for this
logic — no extraction needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add comprehensive routing integration tests

34 tests covering the full HTTP request/response cycle through the actix
middleware stack against a live Firestore emulator. Tests are #[ignore]
and run with: FIRESTORE_EMULATOR_HOST=localhost:8080 cargo test -- --ignored

Coverage:
- Boards: create, list, get, update, delete — including owner/non-owner
  permission cases and not-found handling
- Columns: create, list, get, update, delete — owner-only mutation checks
- Cards: create (validation + cards-closed gate), list, get, update,
  delete, vote (including voting-closed gate), react, CSV export

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Reuse FirestoreDb connection for cleanup in integration tests

Each test now clones the db before passing it to make_app!, keeping a
handle for cleanup rather than opening a second emulator connection.
Also removes a stray no-op emulator_db().await call.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Split integration_tests.rs into per-domain submodules

Move flat 1193-line file into src/integration_tests/ with
board_tests.rs, column_tests.rs, card_tests.rs submodules.
Shared infrastructure (emulator_db, test_config, make_app!,
session_cookie, body_json, setup_board, setup_board_and_column)
stays in mod.rs. Macro uses fully-qualified crate paths to work
when expanded in child modules.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Address review feedback: fix redundant unit tests and fill coverage gaps

- Collapse board_owner_can_update_column + board_owner_can_delete_column
  (identical tests of the same function) into board_owner_is_permitted,
  and non_owner_cannot_update/delete_column into non_owner_is_forbidden
- Add delete_as_non_owner_returns_403 integration test for cards
- Add update_as_non_owner_with_anyone_is_owner_still_returns_403 integration
  test for columns (anyone_is_owner only applies to board settings)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Dylan <dylan@encapto.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

src/cards/routes.rs

@@ -12,6 +12,14 @@ use crate::columns::get_columns;
 use crate::error::Error;
 use crate::participants::models::Participant;
 
+fn validate_card_text(card_message: &CardMessage) -> Result<(), Error> {
+  match &card_message.text {
+    Some(text) if text.is_empty() => Err(Error::BadRequest("Empty cards are not allowed.".into())),
+    None => Err(Error::BadRequest("Card text must be provided.".into())),
+    Some(_) => Ok(()),
+  }
+}
+
 #[post("boards/{board_id}/columns/{column_id}/cards")]
 pub async fn new(
   firestore: web::Data<FirestoreDb>,
@@ -29,14 +37,7 @@ pub async fn new(
     column_id
   ));
 
-  // Empty cards are not allowed
-  if let Some(text) = &card_message.text {
-    if text.is_empty() {
-      return Err(Error::BadRequest("Empty cards are not allowed.".into()));
-    }
-  } else {
-    return Err(Error::BadRequest("Card text must be provided.".into()));
-  }
+  validate_card_text(&card_message)?;
 
   let card = db::new(&firestore, &participant, &board_id, card_message).await?;
   Ok(
@@ -222,3 +223,43 @@ pub async fn csv(
       .body(String::from_utf8(csv_writer.into_inner()?)?),
   )
 }
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  fn msg(text: Option<&str>) -> CardMessage {
+    CardMessage { author: None, text: text.map(|s| s.to_string()), column: None }
+  }
+
+  #[test]
+  fn non_empty_text_is_valid() {
+    assert!(validate_card_text(&msg(Some("Hello"))).is_ok());
+  }
+
+  #[test]
+  fn empty_text_is_bad_request() {
+    assert!(matches!(validate_card_text(&msg(Some(""))), Err(Error::BadRequest(_))));
+  }
+
+  #[test]
+  fn empty_text_error_message() {
+    match validate_card_text(&msg(Some(""))) {
+      Err(Error::BadRequest(s)) => assert_eq!(s, "Empty cards are not allowed."),
+      other => panic!("expected BadRequest, got {other:?}"),
+    }
+  }
+
+  #[test]
+  fn missing_text_is_bad_request() {
+    assert!(matches!(validate_card_text(&msg(None)), Err(Error::BadRequest(_))));
+  }
+
+  #[test]
+  fn missing_text_error_message() {
+    match validate_card_text(&msg(None)) {
+      Err(Error::BadRequest(s)) => assert_eq!(s, "Card text must be provided."),
+      other => panic!("expected BadRequest, got {other:?}"),
+    }
+  }
+}

src/columns/routes.rs

@@ -5,9 +5,18 @@ use actix_web::{delete, get, patch, post, web, HttpResponse};
 use super::db;
 use super::models::ColumnMessage;
 use crate::boards;
+use crate::boards::models::Board;
 use crate::error::Error;
 use crate::participants::models::Participant;
 
+fn check_board_owner_permission(board: &Board, participant: &FirestoreReference) -> Result<(), Error> {
+  if board.owner != *participant {
+    Err(Error::Forbidden)
+  } else {
+    Ok(())
+  }
+}
+
 #[post("boards/{board_id}/columns")]
 pub async fn new(
   firestore: web::Data<FirestoreDb>,
@@ -55,9 +64,7 @@ pub async fn update(
       .unwrap()
       .into(),
   );
-  if board.owner != participant_reference {
-    return Err(Error::Forbidden);
-  }
+  check_board_owner_permission(&board, &participant_reference)?;
   let column = db::update(
     &firestore,
     &board_id,
@@ -82,9 +89,47 @@ pub async fn delete(
       .into(),
   );
   let board = boards::db::get(&firestore, &board_id).await?;
-  if board.owner != participant_reference {
-    return Err(Error::Forbidden);
-  }
+  check_board_owner_permission(&board, &participant_reference)?;
   db::delete(&firestore, &board_id, &column_id).await?;
   Ok(HttpResponse::Ok().finish())
 }
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+  use chrono::Utc;
+  use serde_json::Map;
+
+  fn ref_(s: &str) -> FirestoreReference {
+    FirestoreReference(s.to_string())
+  }
+
+  fn make_board(owner: &str) -> Board {
+    Board {
+      id: "board1".to_string(),
+      name: "Test".to_string(),
+      cards_open: true,
+      voting_open: true,
+      ice_breaking: "".to_string(),
+      created_at: Utc::now().timestamp(),
+      owner: ref_(owner),
+      anyone_is_owner: false,
+      data: serde_json::Value::Object(Map::new()),
+    }
+  }
+
+  #[test]
+  fn board_owner_is_permitted() {
+    let board = make_board("participants/owner");
+    assert!(check_board_owner_permission(&board, &ref_("participants/owner")).is_ok());
+  }
+
+  #[test]
+  fn non_owner_is_forbidden() {
+    let board = make_board("participants/owner");
+    assert!(matches!(
+      check_board_owner_permission(&board, &ref_("participants/other")),
+      Err(Error::Forbidden)
+    ));
+  }
+}