fix: return appropriate HTTP status codes

.github/workflows/node.js.yml

@@ -5,9 +5,9 @@ name: Node.js CI
 
 on:
   push:
-    branches: ["main", "develop"]
+    branches: ["main"]
   pull_request:
-    branches: ["main", "develop"]
+    branches: ["main"]
 
 jobs:
   backend:

backend/.mocharc.js

@@ -3,5 +3,5 @@ process.env.NODE_NO_WARNINGS = 1;
 
 module.exports = {
   require: ['esm', 'tsx'],
-  timeout: '10000',
+  timeout: '30000',
 };

backend/app/services/SessionService.ts

@@ -30,7 +30,7 @@ export class SessionService {
 
     const isPasswordCorrect = await bcrypt.compare(password, user.password);
     if (!isPasswordCorrect) {
-      throw new RequestError(StatusCodes.UNAUTHORIZED, 'wrong_password');
+      throw new RequestError(StatusCodes.UNAUTHORIZED, 'invalid_credentials');
     }
 
     return {

backend/app/services/UserService.ts

@@ -23,13 +23,16 @@ export class UserService {
 
   static async registerUser(email: string, password: string): Promise<User> {
     if (!UserService._isValidEmail(email)) {
-      throw new RequestError(StatusCodes.BAD_REQUEST, 'invalid_email');
+      throw new RequestError(StatusCodes.UNPROCESSABLE_ENTITY, 'invalid_email');
     }
     if (await UserRepository.findByEmail(email)) {
-      throw new RequestError(StatusCodes.BAD_REQUEST, 'user_already_exists');
+      throw new RequestError(StatusCodes.UNAUTHORIZED, 'user_already_exists');
     }
     if (!UserService._checkPasswordStrength(password)) {
-      throw new RequestError(StatusCodes.BAD_REQUEST, 'invalid_password');
+      throw new RequestError(
+        StatusCodes.UNPROCESSABLE_ENTITY,
+        'invalid_password',
+      );
     }
 
     const hash = await bcrypt.hash(password, SALT_ROUNDS);
@@ -43,7 +46,7 @@ export class UserService {
 
   static async sendVerificationEmail(user: User, email: string): Promise<void> {
     if (!UserService._isValidEmail(email)) {
-      throw new RequestError(StatusCodes.BAD_REQUEST, 'invalid_email');
+      throw new RequestError(StatusCodes.UNPROCESSABLE_ENTITY, 'invalid_email');
     }
 
     const challenge = await ChallengeRepository.findByUserAndType(
@@ -52,7 +55,10 @@ export class UserService {
     );
 
     if (challenge?.disabled) {
-      throw new RequestError(StatusCodes.BAD_REQUEST, 'email_already_verified');
+      throw new RequestError(
+        StatusCodes.UNAUTHORIZED,
+        'email_already_verified',
+      );
     }
 
     const emailVerificationToken = crypto.randomBytes(32).toString('hex');
@@ -103,7 +109,7 @@ export class UserService {
 
   static async sendPasswordResetEmail(email: string): Promise<void> {
     if (!UserService._isValidEmail(email)) {
-      throw new RequestError(StatusCodes.BAD_REQUEST, 'invalid_email');
+      throw new RequestError(StatusCodes.UNPROCESSABLE_ENTITY, 'invalid_email');
     }
 
     const user = await UserRepository.findByEmail(email);
@@ -160,7 +166,10 @@ export class UserService {
     }
 
     if (!UserService._checkPasswordStrength(password)) {
-      throw new RequestError(StatusCodes.BAD_REQUEST, 'invalid_password');
+      throw new RequestError(
+        StatusCodes.UNPROCESSABLE_ENTITY,
+        'invalid_password',
+      );
     }
 
     await this.changePassword(user.id, password);

backend/tests/integration/UserRouter.test.ts

@@ -22,38 +22,35 @@ describe('UserRouter', () => {
       expect(response.status).to.equal(StatusCodes.CREATED);
     });
 
-    it('should return a 400 status code if email is already in use', async () => {
+    it('should return a 401 status code if email is already in use', async () => {
       const email = uniqueEmail();
 
-      await User.create({
-        email,
-        password: PASSWORD,
-      });
+      await UserService.registerUser(email, PASSWORD);
 
       const response = await request(app).post('/users').send({
         email,
         password: PASSWORD,
       });
 
-      expect(response.status).to.equal(StatusCodes.BAD_REQUEST);
+      expect(response.status).to.equal(StatusCodes.UNAUTHORIZED);
     });
 
-    it('should return a 400 status code if email is invalid', async () => {
+    it('should return a 422 status code if email is invalid', async () => {
       const response = await request(app).post('/users').send({
         email: 'invalid-email',
         password: PASSWORD,
       });
 
-      expect(response.status).to.equal(StatusCodes.BAD_REQUEST);
+      expect(response.status).to.equal(StatusCodes.UNPROCESSABLE_ENTITY);
     });
 
-    it('should return a 400 status code if password is invalid', async () => {
+    it('should return a 422 status code if password is invalid', async () => {
       const response = await request(app).post('/users').send({
         email: uniqueEmail(),
         password: 'invalid-password',
       });
 
-      expect(response.status).to.equal(StatusCodes.BAD_REQUEST);
+      expect(response.status).to.equal(StatusCodes.UNPROCESSABLE_ENTITY);
     });
   });
 
@@ -141,12 +138,12 @@ describe('UserRouter', () => {
       expect(response.status).to.equal(StatusCodes.OK);
     });
 
-    it('should return a 400 status code if email is invalid', async () => {
+    it('should return a 422 status code if email is invalid', async () => {
       const response = await request(app).post('/users/password-reset').send({
         email: 'invalid-email',
       });
 
-      expect(response.status).to.equal(StatusCodes.BAD_REQUEST);
+      expect(response.status).to.equal(StatusCodes.UNPROCESSABLE_ENTITY);
     });
 
     it('should return a 200 satus code even if user is not found', async () => {
@@ -158,7 +155,7 @@ describe('UserRouter', () => {
     });
   });
 
-  describe('POST /users/:id/password', () => {
+  describe('PUT /users/:id/password', () => {
     const registerUser = async (): Promise<User> => {
       return await UserService.registerUser(uniqueEmail(), PASSWORD);
     };

backend/tests/unit/SessionService.test.ts

@@ -70,7 +70,7 @@ describe('SessionService', () => {
 
       await expect(
         SessionService.login(USER.email, USER.password),
-      ).to.be.rejectedWith('wrong_password');
+      ).to.be.rejectedWith('invalid_credentials');
     });
   });
 });