fix(platform-links): prevent duplicate displayOrder via unique constraint and retry

apps/backend/prisma/migrations/20260612000000_platform_link_unique_display_order/migration.sql

@@ -0,0 +1,2 @@
+-- Add unique constraint on (user_id, display_order) to prevent duplicate display orders per user
+CREATE UNIQUE INDEX "platform_links_user_id_display_order_key" ON "platform_links"("user_id", "display_order");

apps/backend/prisma/schema.prisma

@@ -92,6 +92,7 @@ model PlatformLink {
   user      User       @relation(fields: [userId], references: [id], onDelete: Cascade)
   cardLinks CardLink[]
 
+  @@unique([userId, displayOrder])
   @@map("platform_links")
 }
 

apps/backend/src/__tests__/analytics.test.ts

@@ -1,3 +1,6 @@
+import Fastify, {
+  type FastifyInstance,
+} from 'fastify';
 import {
   describe,
   it,
@@ -7,13 +10,11 @@
   vi,
 } from 'vitest';
 
-import Fastify, {
-  type FastifyInstance,
-} from 'fastify';
+
+import { analyticsRoutes } from '../routes/analytics';
 
 import type { PrismaClient } from '@prisma/client';
 
-import { analyticsRoutes } from '../routes/analytics';
 
 // ─── Shared mock data ────────────────────────────────────────────────────────
 
@@ -34,7 +35,7 @@
 
 // ─── App factory ─────────────────────────────────────────────────────────────
 
-let mockJwtVerify = vi.fn();
+const mockJwtVerify = vi.fn();
 
 async function buildApp(): Promise<FastifyInstance> {
   const app = Fastify({
@@ -188,7 +189,7 @@
 
             expect(
               res.statusCode
             ).toBe(200);
 
             const body =
               res.json();

apps/backend/src/__tests__/auth.test.ts

@@ -0,0 +1,88 @@
+import cookie from '@fastify/cookie';
+import jwt from '@fastify/jwt';
+import Fastify from 'fastify';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
+import { authRoutes } from '../routes/auth.js';
+
+import type { PrismaClient } from '@prisma/client';
+
+const mockUser = {
+  id: 'user-123',
+  username: 'devcard-demo',
+};
+
+const prismaMock = {
+  user: {
+    findUnique: vi.fn(),
+  },
+};
+
+async function buildApp(nodeEnv: string) {
+  vi.stubEnv('NODE_ENV', nodeEnv);
+
+  const app = Fastify();
+  await app.register(jwt, { secret: 'test-secret' });
+  await app.register(cookie);
+  app.decorate('prisma', prismaMock as unknown as PrismaClient);
+  app.decorate('authenticate', async () => {});
+  await app.register(authRoutes, { prefix: '/auth' });
+  await app.ready();
+  return app;
+}
+
+describe('auth dev-login route registration', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });
+
+  it('registers /auth/dev-login outside production', async () => {
+    prismaMock.user.findUnique.mockResolvedValue(mockUser);
+    const app = await buildApp('development');
+
+    const res = await app.inject({
+      method: 'POST',
+      url: '/auth/dev-login',
+    });
+
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toHaveProperty('token');
+    expect(prismaMock.user.findUnique).toHaveBeenCalledWith({
+      where: { username: 'devcard-demo' },
+    });
+
+    await app.close();
+  });
+
+  it('does not register /auth/dev-login in production', async () => {
+    const app = await buildApp('production');
+
+    const res = await app.inject({
+      method: 'POST',
+      url: '/auth/dev-login',
+    });
+
+    expect(res.statusCode).toBe(404);
+    expect(prismaMock.user.findUnique).not.toHaveBeenCalled();
+
+    await app.close();
+  });
+
+  it('keeps other auth routes registered in production', async () => {
+    const app = await buildApp('production');
+
+    const res = await app.inject({
+      method: 'POST',
+      url: '/auth/logout',
+    });
+
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toMatchObject({ message: 'Logged out' });
+
+    await app.close();
+  });
+});

apps/backend/src/__tests__/cards.test.ts

@@ -52,7 +52,7 @@ function wireTransaction(): void {
   );
 }
 
-async function buildApp():Promise<FastifyInstance> {
+async function buildApp(): Promise<FastifyInstance> {
   const app = Fastify({ logger: false });
   app.decorate('prisma', mockPrisma as unknown as PrismaClient);
   app.decorate('authenticate', async (request: any) => {

apps/backend/src/__tests__/event.test.ts

@@ -1,8 +1,10 @@
+import Fastify, { type FastifyInstance } from 'fastify';
 import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
-import Fastify, { FastifyInstance } from 'fastify';
-import { PrismaClient } from '@prisma/client';
+
 import { eventRoutes } from '../routes/event';
 
+import type { PrismaClient } from '@prisma/client';
+
 // ─── Shared mock data ────────────────────────────────────────────────────────
 
 const MOCK_USER_ID = 'user-uuid-001';
@@ -64,7 +66,7 @@
 //
 // This mirrors the real app setup without touching a real DB or real JWT keys.
 
-let mockJwtVerify = vi.fn();
+const mockJwtVerify = vi.fn();
 
 async function buildApp(): Promise<FastifyInstance> {
   const app = Fastify({ logger: false });
@@ -93,7 +95,7 @@
 }
 
 /** Injects a POST /api/events request */
 async function createEvent(
   app: FastifyInstance,
   body: Record<string, unknown>,
   authenticated = true,
@@ -140,7 +142,7 @@
 
       const res = await createEvent(app, validBody);
 
       expect(res.statusCode).toBe(201);
       const body = res.json();
       expect(body.slug).toBe('devcard-conf-2025');
       expect(body.organizerId).toBe(MOCK_USER_ID);
@@ -165,34 +167,34 @@
 
     it('400 — rejects missing required fields (no dates, no location)', async () => {
       const res = await createEvent(app, { name: 'Hello World' }); // missing dates + location
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects missing location', async () => {
       const { location: _omit, ...bodyWithoutLocation } = validBody;
       const res = await createEvent(app, bodyWithoutLocation);
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects location shorter than 2 characters', async () => {
       const res = await createEvent(app, { ...validBody, location: 'A' });
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects location longer than 100 characters', async () => {
       const res = await createEvent(app, { ...validBody, location: 'A'.repeat(101) });
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects event name shorter than 3 characters', async () => {
       const res = await createEvent(app, { ...validBody, name: 'Hi' });
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects event name longer than 100 characters', async () => {
       const longName = 'A'.repeat(101);
       const res = await createEvent(app, { ...validBody, name: longName });
       expect(res.statusCode).toBe(400);
     });
 
     it('400 — rejects invalid date format', async () => {
@@ -200,7 +202,7 @@
         ...validBody,
         startDate: 'not-a-date',
       });
       expect(res.statusCode).toBe(400);
     });
 
     it('201 — generates a unique slug when the first candidate is taken', async () => {
@@ -216,7 +218,7 @@
 
       const res = await createEvent(app, validBody);
 
       expect(res.statusCode).toBe(201);
       // create was eventually called with a slug different from the base one
       const createdSlug: string = prismaMock.event.create.mock.calls[0][0].data.slug;
       expect(createdSlug).toMatch(/^devcard-conf-2025-[a-z0-9]+$/);
@@ -474,7 +476,7 @@
 
   describe('GET /api/events/:slug/attendees — paginated attendee list', () => {
     /** Builds a raw EventAttendee row as Prisma returns it (with nested user) */
     function makeAttendeeRow(
       profile: typeof MOCK_USER_PROFILE | typeof MOCK_OTHER_USER_PROFILE,
     ) {
       return {

apps/backend/src/__tests__/follow.test.ts

@@ -1,4 +1,4 @@
-import Fastify, { FastifyInstance } from 'fastify';
+import Fastify, { type FastifyInstance } from 'fastify';
 import { describe, expect, it, vi, beforeAll, beforeEach, afterAll } from 'vitest';
 
 import { followRoutes } from '../routes/follow.js';

apps/backend/src/__tests__/oauth-scope.test.ts

@@ -11,10 +11,12 @@
  * flow so the two records are independent and can never overwrite each other.
  */
 
-import { describe, it, expect, beforeEach, vi } from 'vitest';
 import Fastify from 'fastify';
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+
 import { connectRoutes } from '../routes/connect.js';
 import { followRoutes } from '../routes/follow.js';
+
 import type { PrismaClient } from '@prisma/client';
 
 // ── Mocks ─────────────────────────────────────────────────────────────────────
@@ -42,20 +44,20 @@
   return Buffer.from(JSON.stringify({ userId, nonce: 'test-nonce' })).toString('base64');
 }
 
 function buildConnectApp(mockPrisma: Partial<PrismaClient>) {
   const app = Fastify({ logger: false });
   app.decorate('prisma', mockPrisma as PrismaClient);
   app.decorate('authenticate', async (req: any) => { req.user = { id: USER_ID }; });
   app.register(connectRoutes, { prefix: '/api/connect' });
   return app.ready().then(() => app);
 }
 
 // ── Follow-route test harness ─────────────────────────────────────────────────
 
 function buildFollowApp(mockPrisma: Partial<PrismaClient>) {
   const app = Fastify({ logger: false });
   app.decorate('prisma', mockPrisma as PrismaClient);
   app.decorate('authenticate', async (req: any) => { req.user = { id: USER_ID }; });
   app.register(followRoutes, { prefix: '/api/follow' });
   return app.ready().then(() => app);
 }