Iron Law

Write the test before the code. If you cannot write the test, the design is wrong.

RED → GREEN → REFACTOR Cycle

Identify the unit to test: function, composable, or endpoint.
Write the nominal case test (happy path): valid input → expected output.
Write the mandatory SIAE+ edge case tests:
- Tax code already exists → 409
- Duplicate email → 409
- Formally invalid tax code → 400
- Non-compliant password → 400
Run the test command — they must fail (RED).
Write the minimum code to make them pass (GREEN).
Refactor without breaking the tests (REFACTOR).

Test isolation (mandatory)

Registration tests write to users.json. Without a reset between tests, the second run fails because the email is already registered. Always use beforeEach/afterEach:

Iron Law

Write the test before the code. If you cannot write the test, the design is wrong.

RED → GREEN → REFACTOR Cycle

Identify the unit to test: function, composable, or endpoint.
Write the nominal case test (happy path): valid input → expected output.
Write the mandatory SIAE+ edge case tests:
- Tax code already exists → 409
- Duplicate email → 409
- Formally invalid tax code → 400
- Non-compliant password → 400
Run the test command — they must fail (RED).
Write the minimum code to make them pass (GREEN).
Refactor without breaking the tests (REFACTOR).

Test isolation (mandatory)

Registration tests write to users.json. Without a reset between tests, the second run fails because the email is already registered. Always use beforeEach/afterEach:

import request from 'supertest' import app from '../src/index' import fs from 'fs' const USERS_FILE = './backend/users.json' beforeEach(() => fs.writeFileSync(USERS_FILE, JSON.stringify([]))) afterEach(() => fs.writeFileSync(USERS_FILE, JSON.stringify([]))) describe('POST /api/auth/register', () => { it('201 with valid payload', async () => { const res = await request(app).post('/api/auth/register').send(validPayload) expect(res.status).toBe(201) expect(res.body.token).toBeDefined() }) it('409 if email already exists', async () => { await request(app).post('/api/auth/register').send(validPayload) const res = await request(app).post('/api/auth/register').send(validPayload) expect(res.status).toBe(409) expect(res.body.redirectTo).toBe('login') }) it('409 if tax code already exists with different email', async () => { await request(app).post('/api/auth/register').send(validPayload) const res = await request(app).post('/api/auth/register').send({ ...validPayload, email: '[email protected]' }) expect(res.status).toBe(409) expect(res.body.redirectTo).toBe('login') }) it('400 if tax code is invalid', async () => { const res = await request(app).post('/api/auth/register').send({ ...validPayload, codiceFiscale: 'INVALID' }) expect(res.status).toBe(400) }) it('400 if password is non-compliant', async () => { const res = await request(app).post('/api/auth/register').send({ ...validPayload, password: 'weak' }) expect(res.status).toBe(400) }) it('400 if required field is missing', async () => { const { nome, ...withoutNome } = validPayload const res = await request(app).post('/api/auth/register').send(withoutNome) expect(res.status).toBe(400) }) }) describe('POST /api/auth/login', () => { beforeEach(async () => { await request(app).post('/api/auth/register').send(validPayload) }) it('200 with correct credentials', async () => { const res = await request(app).post('/api/auth/login') .send({ email: '[email protected]', password: 'Password1' }) expect(res.status).toBe(200) expect(res.body.token).toBeDefined() }) it('401 with wrong password — generic message', async () => { const res = await request(app).post('/api/auth/login') .send({ email: '[email protected]', password: 'wrongpassword' }) expect(res.status).toBe(401) // RF-03: must not specify whether email or password is wrong expect(res.body.error).not.toMatch(/email/i) expect(res.body.error).not.toMatch(/password/i) }) it('401 with non-existent email — same generic message', async () => { const res = await request(app).post('/api/auth/login') .send({ email: '[email protected]', password: 'Password1' }) expect(res.status).toBe(401) expect(res.body.error).not.toMatch(/email/i) expect(res.body.error).not.toMatch(/password/i) }) }) describe('GET /api/user', () => { let token: string beforeEach(async () => { await request(app).post('/api/auth/register').send(validPayload) const res = await request(app).post('/api/auth/login') .send({ email: '[email protected]', password: 'Password1' }) token = res.body.token }) it('200 with valid token', async () => { const res = await request(app).get('/api/user') .set('Authorization', `Bearer ${token}`) expect(res.status).toBe(200) expect(res.body.nome).toBe('Mario') expect(res.body.password).toBeUndefined() // never expose the password }) it('401 without token', async () => { const res = await request(app).get('/api/user') expect(res.status).toBe(401) }) it('401 with malformed token', async () => { const res = await request(app).get('/api/user') .set('Authorization', 'Bearer invalidtoken') expect(res.status).toBe(401) }) })

Tdd

Iron Law

RED → GREEN → REFACTOR Cycle

Test isolation (mandatory)

Tdd

Iron Law

RED → GREEN → REFACTOR Cycle

Test isolation (mandatory)

Reusable valid payload

Express endpoint tests (supertest)

validationService tests (pure functions)

Vue composable tests (vitest)

Commands

Risk: MEDIUM

Extract Errors

Frontend Patterns

Coding Standards

Coding Standards

Coding Standards

Frontend Patterns