Add comprehensive automated tests and fix CredentialController auth

Backend Tests:
- HealthControllerTest: Health check endpoint tests (6 tests)
- RateLimitFilterTest: Rate limiting functionality tests (10 tests)
- DatabaseControllerTest: SQL query validation & security tests (17 tests)
- CodeControllerTest: Code execution validation tests (13 tests)
- InputValidationTest: DTO validation tests for all request DTOs (25+ tests)

Frontend Tests:
- ErrorBoundary.test.tsx: Error boundary component tests (15 tests)
- DashboardPage.test.tsx: Dashboard page tests (20+ tests)

Fixes:
- CredentialController: Fixed user ID extraction from JWT token
  (was trying to parse username as UUID, now properly looks up user)
- DatabaseController: Added @Valid and validation to QueryRequest

CI/CD:
- Enhanced GitHub Actions workflow with proper environment variables
- Added test reports and coverage artifacts
- Created application-test.yml for test profile configuration

Author: martin

.github/workflows/tests.yml

@@ -39,12 +39,47 @@ jobs:
       - name: Run unit tests
         run: |
           cd backend
-          mvn test -Dspring.datasource.url=jdbc:postgresql://localhost:5432/testdb
+          mvn test -Dspring.profiles.active=test
+        env:
+          SPRING_DATASOURCE_URL: jdbc:postgresql://localhost:5432/testdb
+          SPRING_DATASOURCE_USERNAME: test
+          SPRING_DATASOURCE_PASSWORD: test
+          APP_JWT_SECRET: test-jwt-secret-key-for-github-actions-must-be-at-least-64-characters-long
+          APP_JWT_EXPIRATION: 86400000
+          KAFKA_BOOTSTRAP_SERVERS: localhost:9092
 
       - name: Run integration tests
         run: |
           cd backend
-          mvn verify -Dspring.datasource.url=jdbc:postgresql://localhost:5432/testdb
+          mvn verify -Dspring.profiles.active=test -DskipUnitTests
+        env:
+          SPRING_DATASOURCE_URL: jdbc:postgresql://localhost:5432/testdb
+          SPRING_DATASOURCE_USERNAME: test
+          SPRING_DATASOURCE_PASSWORD: test
+          APP_JWT_SECRET: test-jwt-secret-key-for-github-actions-must-be-at-least-64-characters-long
+          APP_JWT_EXPIRATION: 86400000
+          KAFKA_BOOTSTRAP_SERVERS: localhost:9092
+      
+      - name: Generate test report
+        if: always()
+        run: |
+          cd backend
+          echo "## Backend Test Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ -d "task-service/target/surefire-reports" ]; then
+            TESTS=$(find task-service/target/surefire-reports -name "*.xml" -exec grep -h "tests=" {} \; | head -1)
+            echo "Unit tests completed" >> $GITHUB_STEP_SUMMARY
+          fi
+      
+      - name: Upload test results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: backend-test-results
+          path: |
+            backend/task-service/target/surefire-reports/
+            backend/task-service/target/failsafe-reports/
+          retention-days: 7
 
   frontend-tests:
     name: Frontend Tests
@@ -68,7 +103,27 @@ jobs:
       - name: Run unit tests
         run: |
           cd frontend
-          npm test -- --watchAll=false --coverage
+          npm test -- --watchAll=false --coverage --coverageReporters=text --coverageReporters=lcov
+        env:
+          CI: true
+      
+      - name: Generate test summary
+        if: always()
+        run: |
+          cd frontend
+          echo "## Frontend Test Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ -f "coverage/lcov-report/index.html" ]; then
+            echo "Coverage report generated" >> $GITHUB_STEP_SUMMARY
+          fi
+      
+      - name: Upload coverage report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: frontend-coverage
+          path: frontend/coverage/
+          retention-days: 7
 
       - name: Build frontend
         run: |

backend/task-service/src/main/java/io/celox/taskflow/task/controller/CredentialController.java

@@ -3,7 +3,9 @@
 import io.celox.taskflow.task.domain.Credential;
 import io.celox.taskflow.task.dto.CreateCredentialDto;
 import io.celox.taskflow.task.dto.CredentialDto;
+import io.celox.taskflow.task.dto.UserDto;
 import io.celox.taskflow.task.service.CredentialService;
+import io.celox.taskflow.task.service.UserService;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
@@ -23,6 +25,7 @@
 public class CredentialController {
 
     private final CredentialService credentialService;
+    private final UserService userService;
 
     @PostMapping
     public ResponseEntity<CredentialDto> createCredential(@Valid @RequestBody CreateCredentialDto request) {
@@ -71,19 +74,31 @@ public ResponseEntity<Void> deleteCredential(@PathVariable UUID id) {
     }
 
     /**
-     * Extract user ID from JWT token
+     * Extract user ID from JWT token.
+     * The token contains the username, so we need to look up the user to get the UUID.
      */
     private UUID extractUserIdFromToken() {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
         if (authentication == null || authentication.getName() == null) {
             throw new IllegalStateException("User not authenticated");
         }
 
+        String username = authentication.getName();
+        
+        // First try to parse as UUID (in case it's already a UUID)
         try {
-            return UUID.fromString(authentication.getName());
+            return UUID.fromString(username);
         } catch (IllegalArgumentException e) {
-            log.error("Invalid user ID in token: {}", authentication.getName());
-            throw new IllegalStateException("Invalid user ID in token");
+            // Not a UUID, so it's a username - look up the user
+            log.debug("Looking up user by username: {}", username);
+        }
+        
+        try {
+            UserDto user = userService.getUserByUsername(username);
+            return user.getId();
+        } catch (Exception e) {
+            log.error("Failed to find user by username: {}", username, e);
+            throw new IllegalStateException("User not found: " + username);
         }
     }
 

backend/task-service/src/main/java/io/celox/taskflow/task/controller/DatabaseController.java

@@ -3,6 +3,9 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Size;
 import lombok.Data;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -41,7 +44,7 @@ public class DatabaseController {
     @PostMapping("/query")
     @Operation(summary = "Execute a SQL query")
     @ApiResponse(responseCode = "200", description = "Query executed successfully")
-    public ResponseEntity<QueryResult> executeQuery(@RequestBody QueryRequest request) {
+    public ResponseEntity<QueryResult> executeQuery(@Valid @RequestBody QueryRequest request) {
         long startTime = System.currentTimeMillis();
         String userId = getCurrentUserId();
 
@@ -233,6 +236,8 @@ private static class SecurityValidationResult {
 
     @Data
     public static class QueryRequest {
+        @NotBlank(message = "Query is required")
+        @Size(min = 1, max = 10000, message = "Query must be between 1 and 10000 characters")
         private String query;
     }
 

backend/task-service/src/main/java/io/celox/taskflow/task/dto/CreateWorkflowDto.java

@@ -7,6 +7,10 @@
 import lombok.Data;
 import lombok.NoArgsConstructor;
 
+/**
+ * DTO for creating workflows.
+ * All fields are validated to prevent abuse and ensure data integrity.
+ */
 @Data
 @NoArgsConstructor
 @AllArgsConstructor
@@ -20,9 +24,12 @@ public class CreateWorkflowDto {
     @Size(max = 1000, message = "Description must not exceed 1000 characters")
     private String description;
 
+    @Size(max = 500000, message = "Workflow nodes JSON must not exceed 500KB")
     private String nodesJson;
 
+    @Size(max = 100000, message = "Workflow edges JSON must not exceed 100KB")
     private String edgesJson;
 
+    @Size(max = 50000, message = "Workflow triggers JSON must not exceed 50KB")
     private String triggersJson;
 }

backend/task-service/src/main/java/io/celox/taskflow/task/dto/LoginDto.java

@@ -1,20 +1,27 @@
 package io.celox.taskflow.task.dto;
 
 import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Size;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 
+/**
+ * DTO for user login requests.
+ * All fields are validated to prevent abuse.
+ */
 @Data
 @NoArgsConstructor
 @AllArgsConstructor
 @Builder
 public class LoginDto {
 
     @NotBlank(message = "Username is required")
+    @Size(min = 3, max = 50, message = "Username must be between 3 and 50 characters")
     private String username;
 
     @NotBlank(message = "Password is required")
+    @Size(min = 6, max = 100, message = "Password must be between 6 and 100 characters")
     private String password;
 }

backend/task-service/src/main/java/io/celox/taskflow/task/dto/UpdateWorkflowDto.java

@@ -7,6 +7,10 @@
 import lombok.Data;
 import lombok.NoArgsConstructor;
 
+/**
+ * DTO for updating workflows.
+ * All fields are validated to prevent abuse and ensure data integrity.
+ */
 @Data
 @NoArgsConstructor
 @AllArgsConstructor
@@ -21,9 +25,12 @@ public class UpdateWorkflowDto {
 
     private WorkflowStatus status;
 
+    @Size(max = 500000, message = "Workflow nodes JSON must not exceed 500KB")
     private String nodesJson;
 
+    @Size(max = 100000, message = "Workflow edges JSON must not exceed 100KB")
     private String edgesJson;
 
+    @Size(max = 50000, message = "Workflow triggers JSON must not exceed 50KB")
     private String triggersJson;
 }