refactor: address code review - add resetAuthState, toSafeUser helper, improve test isolation

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

apps/console/src/__tests__/authHandlers.test.ts

@@ -10,22 +10,15 @@
 
 import { describe, it, expect, beforeAll, afterAll, beforeEach } from 'vitest';
 import { setupServer } from 'msw/node';
-import { createAuthHandlers } from '../mocks/authHandlers';
+import { createAuthHandlers, resetAuthState } from '../mocks/authHandlers';
 
 const BASE_URL = 'http://localhost/api/v1/auth';
 const handlers = createAuthHandlers('/api/v1/auth');
 const server = setupServer(...handlers);
 
 beforeAll(() => server.listen({ onUnhandledRequest: 'bypass' }));
 afterAll(() => server.close());
-
-/**
- * Reset the in-memory user store between tests by importing a
- * fresh set of handlers. Because the module-level Maps/state
- * persist across tests within the same module, we accept that
- * state accumulates during a single describe block and structure
- * tests as a sequential flow: sign-up → sign-in → session → sign-out.
- */
+beforeEach(() => resetAuthState());
 
 describe('Mock Auth Handlers', () => {
   it('should register a new user via sign-up', async () => {
@@ -51,6 +44,13 @@ describe('Mock Auth Handlers', () => {
   });
 
   it('should reject duplicate sign-up', async () => {
+    // Register a user first
+    await fetch(`${BASE_URL}/sign-up/email`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ name: 'Alice', email: 'alice@example.com', password: 'secret123' }),
+    });
+
     const res = await fetch(`${BASE_URL}/sign-up/email`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
@@ -77,6 +77,13 @@ describe('Mock Auth Handlers', () => {
   });
 
   it('should sign in with correct credentials', async () => {
+    // Register user first
+    await fetch(`${BASE_URL}/sign-up/email`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ name: 'Alice', email: 'alice@example.com', password: 'secret123' }),
+    });
+
     const res = await fetch(`${BASE_URL}/sign-in/email`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
@@ -106,7 +113,12 @@ describe('Mock Auth Handlers', () => {
   });
 
   it('should return current session after sign-in', async () => {
-    // First sign in to establish a session
+    // Register and sign in
+    await fetch(`${BASE_URL}/sign-up/email`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ name: 'Alice', email: 'alice@example.com', password: 'secret123' }),
+    });
     await fetch(`${BASE_URL}/sign-in/email`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
@@ -150,7 +162,12 @@ describe('Mock Auth Handlers', () => {
   });
 
   it('should update user when authenticated', async () => {
-    // Sign in first
+    // Register and sign in first
+    await fetch(`${BASE_URL}/sign-up/email`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ name: 'Alice', email: 'alice@example.com', password: 'secret123' }),
+    });
     await fetch(`${BASE_URL}/sign-in/email`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
@@ -171,9 +188,6 @@ describe('Mock Auth Handlers', () => {
   });
 
   it('should reject update-user when not authenticated', async () => {
-    // Sign out first
-    await fetch(`${BASE_URL}/sign-out`, { method: 'POST' });
-
     const res = await fetch(`${BASE_URL}/update-user`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },

apps/console/src/mocks/authHandlers.ts

@@ -6,6 +6,9 @@
  * enable sign-up, sign-in, session, and sign-out flows in the MSW
  * (browser / test) environment where no real AuthPlugin is available.
  *
+ * NOTE: This is a mock/testing module only. Passwords are stored in
+ * plain text — never use this pattern in production code.
+ *
  * Endpoints:
  *   POST /sign-up/email  — register a new user
  *   POST /sign-in/email  — authenticate with email + password
@@ -38,6 +41,13 @@ const users = new Map<string, MockUser & { password: string }>();
 let currentSession: { user: MockUser; session: MockSession } | null = null;
 let nextId = 1;
 
+/** Reset all in-memory auth state. Call in test `beforeEach` for isolation. */
+export function resetAuthState(): void {
+  users.clear();
+  currentSession = null;
+  nextId = 1;
+}
+
 function generateToken(): string {
   return `mock-token-${Date.now()}-${Math.random().toString(36).slice(2)}`;
 }
@@ -46,6 +56,12 @@ function generateExpiry(): string {
   return new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
 }
 
+/** Return a user object without the password field. */
+function toSafeUser(user: MockUser & { password: string }): MockUser {
+  const { password: _, ...safe } = user;
+  return safe;
+}
+
 /**
  * Create MSW request handlers that mock the better-auth REST endpoints.
  *
@@ -94,7 +110,7 @@ export function createAuthHandlers(baseUrl: string): HttpHandler[] {
         token: generateToken(),
         expiresAt: generateExpiry(),
       };
-      const { password: _, ...safeUser } = user;
+      const safeUser = toSafeUser(user);
       currentSession = { user: safeUser, session };
 
       return HttpResponse.json({ user: safeUser, session });
@@ -126,7 +142,7 @@ export function createAuthHandlers(baseUrl: string): HttpHandler[] {
         token: generateToken(),
         expiresAt: generateExpiry(),
       };
-      const { password: _, ...safeUser } = stored;
+      const safeUser = toSafeUser(stored);
       currentSession = { user: safeUser, session };
 
       return HttpResponse.json({ user: safeUser, session });