test: expand endpoint coverage and harden deploy gate

tests/cms-files-endpoints.spec.ts

@@ -2,15 +2,6 @@ import { beforeEach, describe, expect, it, vi } from 'vitest'
 import { createEvent, mockSuccessReadBody } from './setup'
 import fs from 'fs/promises'
 
-vi.mock('../server/utils/auth.js', () => ({
-  getUserFromToken: vi.fn(),
-  hasAnyRole: vi.fn((user, ...roles) => {
-    if (!user) return false
-    const userRoles = Array.isArray(user.roles) ? user.roles : (user.role ? [user.role] : [])
-    return roles.some(r => userRoles.includes(r))
-  })
-}))
-
 vi.mock('multer', () => {
   const single = vi.fn((field) => (req, _res, cb) => {
     if (req.__mockMulterError) {
@@ -31,6 +22,18 @@ vi.mock('multer', () => {
     diskStorage
   }
 })
+vi.mock('../server/utils/contact-requests.js', () => ({
+  readContactRequests: vi.fn()
+}))
+
+vi.mock('../server/utils/auth.js', () => ({
+  getUserFromToken: vi.fn(),
+  hasAnyRole: vi.fn((user, ...roles) => {
+    if (!user) return false
+    const userRoles = Array.isArray(user.roles) ? user.roles : (user.role ? [user.role] : [])
+    return roles.some(r => userRoles.includes(r))
+  })
+}))
 
 vi.mock('child_process', () => ({
   exec: vi.fn()
@@ -74,8 +77,11 @@ vi.mock('../server/utils/upload-validation.js', () => ({
 import saveCsvHandler from '../server/api/cms/save-csv.post.js'
 import uploadSpielplanHandler from '../server/api/cms/upload-spielplan-pdf.post.js'
 import satzungUploadHandler from '../server/api/cms/satzung-upload.post.js'
+import contactRequestsHandler from '../server/api/cms/contact-requests.get.js'
 
-const { getUserFromToken } = await import('../server/utils/auth.js')
+const contactRequestUtils = await import('../server/utils/contact-requests.js')
+
+const { getUserFromToken, hasAnyRole } = await import('../server/utils/auth.js')
 
 describe('CMS File Endpoints', () => {
   beforeEach(() => {
@@ -155,4 +161,46 @@ describe('CMS File Endpoints', () => {
       expect(fs.writeFile).toHaveBeenCalled()
     })
   })
+
+  describe('GET /api/cms/contact-requests', () => {
+    it('gibt 403 wenn kein Token vorhanden', async () => {
+      const event = createEvent()
+
+      await expect(contactRequestsHandler(event)).rejects.toMatchObject({ statusCode: 403 })
+    })
+
+    it('gibt 403 bei unzureichender Rolle', async () => {
+      const event = createEvent({ cookies: { auth_token: 'token' } })
+      getUserFromToken.mockResolvedValue({ id: '1', roles: ['mitglied'] })
+      hasAnyRole.mockReturnValue(false)
+
+      await expect(contactRequestsHandler(event)).rejects.toMatchObject({ statusCode: 403 })
+    })
+
+    it('liefert Kontaktanfragen für Admin', async () => {
+      const event = createEvent({ cookies: { auth_token: 'token' } })
+      getUserFromToken.mockResolvedValue({ id: '1', roles: ['admin'] })
+      hasAnyRole.mockReturnValue(true)
+      contactRequestUtils.readContactRequests.mockResolvedValue([
+        { name: 'Test User', email: 'test@example.com', message: 'Hallo' }
+      ])
+
+      const result = await contactRequestsHandler(event)
+
+      expect(Array.isArray(result)).toBe(true)
+      expect(result).toHaveLength(1)
+      expect(result[0].name).toBe('Test User')
+    })
+
+    it('liefert Kontaktanfragen für Trainer', async () => {
+      const event = createEvent({ cookies: { auth_token: 'token' } })
+      getUserFromToken.mockResolvedValue({ id: '2', roles: ['trainer'] })
+      hasAnyRole.mockReturnValue(true)
+      contactRequestUtils.readContactRequests.mockResolvedValue([])
+
+      const result = await contactRequestsHandler(event)
+
+      expect(Array.isArray(result)).toBe(true)
+    })
+  })
 })