Add comprehensive testing suite and fix QC issues

- Add 115+ unit, component, and E2E tests - Add Vitest configuration with coverage thresholds - Add validation schema tests (validations.test.ts) - Add sanitizer utility tests (sanitizer.test.ts) - Add WhatsApp service tests (whatsapp.test.ts) - Add component tests for UnifiedTypography and UnifiedSurface - Add E2E tests for admin auth and public pages - Add testing documentation (docs/TESTING.md) - Add sanitizer and WhatsApp utilities - Add centralized validation schemas - Refactor state management (admin/public separation) - Fix security issues (OTP via POST, session password validation) - Update AGENTS.md with testing guidelines Test Coverage: 50%+ target achieved All tests passing: 115/115 Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-03-09 14:05:03 +08:00
parent 7bc546e985
commit 6ed2392420
46 changed files with 7734 additions and 565 deletions
--- a/TESTING-GUIDE.md
+++ b/TESTING-GUIDE.md
@@ -0,0 +1,400 @@
+ ---
+
+    🧪 TESTING GUIDE
+
+    1️⃣ STATE MANAGEMENT REFACTORING 
+
+    A. Music Player State (Valtio)
+
+    Page: http://localhost:3000/darmasaba/musik/musik-desa
+
+    Test Steps:
+     1. Buka halaman musik desa
+     2. Klik lagu untuk memutar
+     3. Test tombol play/pause
+     4. Test next/previous
+     5. Test volume control
+     6. Test shuffle/repeat
+     7. Refresh page - state harus tetap ada
+
+    Expected Result:
+     - ✅ Musik bisa diputar
+     - ✅ Semua kontrol berfungsi
+     - ✅ State reactive (UI update otomatis)
+     - ✅ Tidak ada error di console
+
+    Console Check:
+
+     1 // Buka browser console, ketik:
+     2 window.publicMusicState
+     3 // Harus bisa akses state langsung
+
+    ---
+
+    B. Admin Navigation State
+
+    Page: http://localhost:3000/admin/dashboard
+
+    Test Steps:
+     1. Login ke admin panel
+     2. Test toggle sidebar (collapse/expand)
+     3. Test mobile menu (hamburger menu)
+     4. Test hover menu items
+     5. Test search functionality
+     6. Navigate antar module
+
+    Expected Result:
+     - ✅ Sidebar bisa collapse/expand
+     - ✅ Mobile menu berfungsi
+     - ✅ Menu hover responsive
+     - ✅ State persist saat navigate
+
+    ---
+
+    2️⃣ SECURITY FIXES
+
+    A. OTP via POST (Not GET) - CRITICAL ⚠️
+
+    Page: http://localhost:3000/admin/login
+
+    Test Steps:
+     1. Buka halaman login admin
+     2. Masukkan nomor WhatsApp valid
+     3. Klik "Kirim Kode OTP"
+     4. Check Network tab di browser DevTools
+
+    Network Tab Check:
+
+      1 ❌ BEFORE (Insecure):
+      2 Request URL: https://wa.wibudev.com/code?nom=08123456789&text=Kode OTP: 123456
+      3 Method: GET
+      4 
+      5 ✅ AFTER (Secure):
+      6 Request URL: https://wa.wibudev.com/send
+      7 Method: POST
+      8 Request Payload: {
+      9   "nomor": "08123456789",
+     10   "otpId": "clxxx...",
+     11   "message": "Website Desa Darmasaba..."
+     12 }
+
+    Expected Result:
+     - ✅ Request ke WhatsApp menggunakan POST
+     - ✅ OTP TIDAK terlihat di URL
+     - ✅ OTP hanya ada di message body
+     - ✅ Dapat OTP via WhatsApp
+
+    Browser History Check:
+     - Buka browser history
+     - Cari URL dengan "wa.wibudev.com"
+     - ✅ TIDAK BOLEH ADA OTP di URL
+
+    ---
+
+    B. Session Password Enforcement
+
+    File: .env.local
+
+    Test 1 - Tanpa SESSION_PASSWORD:
+
+     1 # Hapus atau comment SESSION_PASSWORD di .env.local
+     2 # SESSION_PASSWORD=""
+
+    Restart server:
+
+     1 bun run dev
+
+    Expected Result:
+     - ❌ Server GAGAL start
+     - ✅ Error message: "SESSION_PASSWORD environment variable is required"
+
+    ---
+
+    Test 2 - Password Pendek (< 32 chars):
+
+     1 # Password terlalu pendek
+     2 SESSION_PASSWORD="short"
+
+    Restart server:
+
+     1 bun run dev
+
+    Expected Result:
+     - ❌ Server GAGAL start
+     - ✅ Error message: "SESSION_PASSWORD must be at least 32 characters long"
+
+    ---
+
+    Test 3 - Password Valid (≥ 32 chars):
+
+     1 # Generate password kuat (min 32 chars)
+     2 SESSION_PASSWORD="this-is-a-very-secure-password-with-more-than-32-characters"
+
+    Restart server:
+
+     1 bun run dev
+
+    Expected Result:
+     - ✅ Server BERHASIL start
+     - ✅ Tidak ada error
+     - ✅ Bisa login ke admin panel
+
+    ---
+
+    C. Input Validation (Zod)
+
+    Page: http://localhost:3000/admin/desa/berita/list-berita/create
+
+    Test 1 - Judul Pendek (< 5 chars):
+
+     1 Judul: "abc"  ❌
+    Expected:
+     - ✅ Error: "Judul minimal 5 karakter"
+
+    ---
+
+    Test 2 - Judul Terlalu Panjang (> 255 chars):
+
+     1 Judul: "abc..." (300 chars) ❌
+    Expected:
+     - ✅ Error: "Judul maksimal 255 karakter"
+
+    ---
+
+    Test 3 - Deskripsi Pendek (< 10 chars):
+
+     1 Judul: "Judul Valid" ✅
+     2 Deskripsi: "abc" ❌
+    Expected:
+     - ✅ Error: "Deskripsi minimal 10 karakter"
+
+    ---
+
+    Test 4 - Konten Pendek (< 50 chars):
+
+     1 Judul: "Judul Valid" ✅
+     2 Deskripsi: "Deskripsi yang cukup panjang" ✅
+     3 Konten: "abc" ❌
+    Expected:
+     - ✅ Error: "Konten minimal 50 karakter"
+
+    ---
+
+    Test 5 - YouTube URL Invalid:
+
+     1 Link Video: "https://youtube.com" ❌
+    Expected:
+     - ✅ Error: "Format URL YouTube tidak valid"
+
+    ---
+
+    Test 6 - XSS Attempt:
+
+     1 Konten: "<script>alert('XSS')</script>Content yang valid..." ❌
+    Expected:
+     - ✅ Script tag dihapus
+     - ✅ Content tersimpan tanpa <script>
+     - ✅ Data tersimpan dengan aman
+
+    Verify di Database:
+
+     1 SELECT content FROM berita ORDER BY "createdAt" DESC LIMIT 1;
+     2 -- Harus tanpa <script> tag
+
+    ---
+
+    Test 7 - Data Valid (Semua Field Benar):
+
+     1 Judul: "Berita Testing" ✅ (5-255 chars)
+     2 Deskripsi: "Deskripsi lengkap berita" ✅ (10-500 chars)
+     3 Konten: "Konten berita yang lengkap dan valid..." ✅ (>50 chars)
+     4 Kategori: [Pilih kategori] ✅
+     5 Featured Image: [Upload image] ✅
+     6 Link Video: "https://www.youtube.com/watch?v=dQw4w9WgXcQ" ✅
+
+    Expected:
+     - ✅ Berhasil simpan
+     - ✅ Redirect ke list berita
+     - ✅ Data tampil dengan benar
+
+    ---
+
+    3️⃣ ADDITIONAL PAGES TO TEST
+
+    Music Player Integration
+
+
+    ┌────────────┬─────────────────────────────┬───────────────────────────────┐
+    │ Page       │ URL                         │ Test                          │
+    ├────────────┼─────────────────────────────┼───────────────────────────────┤
+    │ Musik Desa │ /darmasaba/musik/musik-desa │ Full player functionality     │
+    │ Home       │ /darmasaba                  │ Fixed player bar (if enabled) │
+    └────────────┴─────────────────────────────┴───────────────────────────────┘
+
+
+    ---
+
+    Admin Pages (State Management)
+
+
+    ┌───────────────┬───────────────────────────────────────┬───────────────────────────┐
+    │ Page          │ URL                                   │ Test                      │
+    ├───────────────┼───────────────────────────────────────┼───────────────────────────┤
+    │ Login         │ /admin/login                          │ Session state             │
+    │ Dashboard     │ /admin/dashboard                      │ Navigation state          │
+    │ Berita List   │ /admin/desa/berita/list-berita        │ Form state                │
+    │ Create Berita │ /admin/desa/berita/list-berita/create │ Validation + sanitization │
+    └───────────────┴───────────────────────────────────────┴───────────────────────────┘
+
+    ---
+
+    4️⃣ BROWSER CONSOLE TESTS
+
+    Test State Management Directly
+
+    Buka browser console dan test:
+
+      1 // Test 1: Access public music state
+      2 import { publicMusicState } from '@/state/public/publicMusicState';
+      3 console.log('Music State:', publicMusicState);
+      4 
+      5 // Test 2: Access admin nav state
+      6 import { adminNavState } from '@/state/admin/adminNavState';
+      7 console.log('Admin Nav:', adminNavState);
+      8 
+      9 // Test 3: Change state manually
+     10 adminNavState.mobileOpen = true;
+     11 console.log('Mobile Open:', adminNavState.mobileOpen);
+     12 
+     13 // Test 4: Music state methods
+     14 publicMusicState.togglePlayer();
+     15 console.log('Player Open:', publicMusicState.isPlayerOpen);
+
+    ---
+
+    5️⃣ NETWORK TAB CHECKS
+
+    OTP Login Flow
+
+     1. Buka DevTools → Network tab
+     2. Login page: /admin/login
+     3. Submit nomor
+     4. Cari request ke wa.wibudev.com
+
+    Check:
+
+      1 ✅ CORRECT:
+      2 - Method: POST
+      3 - URL: https://wa.wibudev.com/send
+      4 - Body: { nomor, otpId, message }
+      5 - NO OTP in URL
+      6 
+      7 ❌ WRONG:
+      8 - Method: GET
+      9 - URL: https://wa.wibudev.com/code?nom=...&text=...OTP...
+     10 - OTP visible in URL
+
+    ---
+
+    6️⃣ DATABASE CHECKS
+
+    Verify Sanitization
+
+      1 -- Check berita content setelah input XSS attempt
+      2 SELECT 
+      3   id, 
+      4   judul, 
+      5   content, 
+      6   "linkVideo",
+      7   "createdAt"
+      8 FROM "Berita"
+      9 ORDER BY "createdAt" DESC
+     10 LIMIT 5;
+     11 
+     12 -- Content TIDAK BOLEH mengandung:
+     13 -- <script>, javascript:, onerror=, onclick=, dll
+
+    ---
+
+    ✅ TESTING CHECKLIST
+
+      1 STATE MANAGEMENT:
+      2 [ ] Music player works (play/pause/next/prev)
+      3 [ ] Volume control works
+      4 [ ] Shuffle/repeat works
+      5 [ ] State persists after refresh
+      6 [ ] Admin navigation works
+      7 [ ] Sidebar toggle works
+      8 [ ] Mobile menu works
+      9 
+     10 SECURITY - OTP:
+     11 [ ] Login request uses POST (not GET)
+     12 [ ] OTP NOT visible in Network tab URL
+     13 [ ] OTP NOT in browser history
+     14 [ ] WhatsApp receives OTP correctly
+     15 [ ] Login flow completes successfully
+     16 
+     17 SECURITY - SESSION:
+     18 [ ] Server fails without SESSION_PASSWORD
+     19 [ ] Server fails with short password
+     20 [ ] Server starts with valid password
+     21 [ ] Can login to admin panel
+     22 [ ] Session persists across pages
+     23 
+     24 SECURITY - VALIDATION:
+     25 [ ] Short judul rejected
+     26 [ ] Long judul rejected
+     27 [ ] Short deskripsi rejected
+     28 [ ] Short content rejected
+     29 [ ] Invalid YouTube URL rejected
+     30 [ ] XSS attempt sanitized
+     31 [ ] Valid data accepted
+     32 
+     33 CLEANUP:
+     34 [ ] No console errors
+     35 [ ] No TypeScript errors
+     36 [ ] All pages load correctly
+
+    ---
+
+    🐛 TROUBLESHOOTING
+
+    Issue: "SESSION_PASSWORD environment variable is required"
+
+    Fix:
+
+     1 # Tambahkan ke .env.local
+     2 SESSION_PASSWORD="your-secure-password-at-least-32-characters-long"
+
+    ---
+
+    Issue: WhatsApp OTP tidak terkirim
+
+    Check:
+     1. Network tab - apakah POST request berhasil?
+     2. Check logs - apakah ada error dari WhatsApp API?
+     3. Check nomor WhatsApp format (harus valid)
+
+    ---
+
+    Issue: Validasi error tidak muncul
+
+    Check:
+     1. Browser console - apakah ada Zod error?
+     2. Network tab - check request body
+     3. Check schema di src/lib/validations/index.ts
+
+    ---
+
+    Issue: Music player tidak berfungsi
+
+    Check:
+     1. Browser console - ada error?
+     2. Check publicMusicState di console
+     3. Reload page - state ter-initialize?
+
+    ---
+
+    Selamat testing! Jika ada issue, check console logs dan network tab untuk debugging. 🎉
+
+