vyndr/tests/unit/honeypot.test.js

const express = require('express');
const request = require('supertest');

// Mock supabase
jest.mock('../../src/utils/supabase', () => ({
  getSupabaseServiceClient: () => ({
    from: jest.fn().mockReturnValue({
      upsert: jest.fn().mockResolvedValue({ data: null, error: null }),
    }),
  }),
}));

const waitlistRoutes = require('../../src/routes/waitlist');

const app = express();
app.use(express.json());
app.use('/api/waitlist', waitlistRoutes);

describe('Honeypot spam protection', () => {
  test('accepts valid submission without honeypot', async () => {
    const res = await request(app)
      .post('/api/waitlist')
      .send({ email: 'test@example.com', list: 'merch' });
    expect(res.status).toBe(200);
    expect(res.body.success).toBe(true);
  });

  test('silently discards submission with honeypot filled', async () => {
    const res = await request(app)
      .post('/api/waitlist')
      .send({ email: 'bot@spam.com', list: 'merch', website: 'http://spam.com' });
    expect(res.status).toBe(200);
    expect(res.body.success).toBe(true);
    // Bot thinks it succeeded, but nothing was stored
  });

  test('rejects missing email', async () => {
    const res = await request(app)
      .post('/api/waitlist')
      .send({ list: 'merch' });
    expect(res.status).toBe(400);
  });

  test('rejects missing list', async () => {
    const res = await request(app)
      .post('/api/waitlist')
      .send({ email: 'test@example.com' });
    expect(res.status).toBe(400);
  });
});