test(connect): add regression testing for oauth callback flow

[VIDYANKSHINI]

Summary

This PR introduces comprehensive regression testing for the OAuth connect callback flow to fulfill the Acceptance Criteria for Issue #380. (Note: The core route logic to remove app.authenticate and use the Redis nonce flow was already merged in upstream main during a previous sync, so this PR exclusively adds the missing test coverage to guarantee its security and functionality).

Closes #380

---

Type of Change

• Bug fix
• New feature
• Refactor (no functional change)
• UI / Design change
• Tests only
• Documentation
• Infrastructure / DevOps
• Security

---

What Changed

• apps/backend/src/__tests__/connect.test.ts:
  • Replaced the skeleton tests with a fully implemented test suite using vitest, mockRedis, and mockPrisma.
  • Added tests for the Valid Callback Flow, ensuring code exchange via fetch and token upsertion.
  • Added negative tests to handle Missing Params (code or state).
  • Added security regression tests for Invalid/Malformed State and Expired/Invalid Nonce Handling (CSRF protection checks).
  • Validated Replay Attack prevention by ensuring redis.del is strictly called upon nonce verification.

---

How to Test

1. Navigate to the apps/backend directory.
2. Run the test suite using pnpm exec vitest run src/__tests__/connect.test.ts.
3. Verify that all 7 test cases pass successfully without any 500 or 401 errors.

---

Checklist

• My code follows the project's coding style (pnpm -r run lint passes).
• TypeScript compiles without errors (pnpm -r run typecheck).
• I have added or updated tests for the changes I made.
• All tests pass locally (pnpm -r run test).
• I have updated documentation where necessary.
• No new console.log or debug statements left in the code.
• Breaking changes are documented in this PR description.

---

Screenshots / Recordings

N/A (Tests only)

---

Additional Context

The mocked test environment utilizes Fastify app.inject requests to simulate browser-level GET redirects. It correctly verifies that the Redis layer mitigates CSRF while keeping the endpoints gracefully redirecting to /settings with specific error query parameters.

[Harxhit]

@VIDYANKSHINI Please add tests terminal proof in PR description.

[VIDYANKSHINI]

pnpm exec vitest run src/tests/connect.test.ts

RUN v2.1.9 C:/Users/VIDYANKSHINI/Desktop/project/DEV/DevCard/apps/backend

✓ src/tests/connect.test.ts (7 tests) 187ms

Test Files 1 passed (1)
Tests 7 passed (7)
Start at 19:31:34
Duration 1.49s (transform 542ms, setup 0ms, collect 762ms, tests 187ms, environment 0ms, prepare 171ms)

[VIDYANKSHINI]

Hi @Harxhit,

I have added the terminal proof of the successful test runs to the PR description as requested. All 7 test cases for the OAuth connect callback flow are passing perfectly.

Could you please review and merge this when you have a moment? Thank you!

[Harxhit]

LGTM. Tests are passing. Approving

[github-actions]

Congratulations @VIDYANKSHINI on getting PR #411 merged!

    Thank you for your contribution. Please mention @Harxhit in our Discord server to receive the appropriate GSSoC labels and recognition.