test(auth): cover invalid OAuth callback validation path

PierreBrisorgueil · PierreBrisorgueil · commit 8c99c22ba823 · 2026-02-21T15:57:17.000+01:00
diff --git a/modules/auth/controllers/auth.controller.js b/modules/auth/controllers/auth.controller.js
@@ -109,9 +109,9 @@ const oauthCall = (req, res, next) => {
 
 /**
  * @desc Endpoint to save oAuthProfile
- * @param {Object} req - Express request object
- * @param {Object} providerUserProfile
- * @param {Function} done - done
+ * @param {Object} profil - OAuth user profile object
+ * @param {string} key - Provider key to lookup `providerData`
+ * @param {string} provider - OAuth provider name
  */
 const checkOAuthUserProfile = async (profil, key, provider) => {
   // check if user exist
diff --git a/modules/auth/tests/auth.integration.tests.js b/modules/auth/tests/auth.integration.tests.js
@@ -550,6 +550,24 @@ describe('Auth integration tests:', () => {
       }
     });
 
+    test('should return 422 when client-side OAuth callback receives an invalid profile', async () => {
+      const result = await agent
+        .post('/api/auth/google/callback')
+        .send({
+          strategy: false,
+          key: 'id',
+          value: 'cb-app-auth-id-invalid-999',
+          firstName: '',
+          lastName: 'Callback',
+          email: 'oauthcb-invalid@test.com',
+        })
+        .expect(422);
+
+      expect(result.body.type).toBe('error');
+      expect(result.body.message).toMatch(/^Schema validation error/);
+      expect(result.body.description).toEqual(expect.any(String));
+    });
+
     test('should set tokenCookieOptions and redirect on classic web oAuth success', async () => {
       const mockUserId = 'mock-oauth-user-id-123';
       const authenticateSpy = jest.spyOn(passport, 'authenticate').mockImplementationOnce(
