Testing

Reactive Testing Patterns

Quarkus uses Hibernate Reactive with Vert.x, which requires careful handling of test execution context.

Key Rules

1. Use @RunOnVertxContext — reactive tests must run on the Vert.x event loop, not the JUnit thread
2. Use UniAsserter — standard assertions don't work with Uni<T> chains; use the Vert.x test asserter
3. Watch thread boundaries — Panache operations must stay on the event loop thread; switching threads mid-chain causes HR000069 errors

Service Test Pattern

@QuarkusTest
@RunOnVertxContext
class MyServiceTest {
    @Inject MyService service;

    @Test
    void testSomething(UniAsserter asserter) {
        asserter.assertThat(
            () -> service.findById(uuid),
            result -> {
                assertNotNull(result);
                assertEquals("expected", result.getName());
            }
        );
    }
}

REST Test Pattern

REST tests use RestAssured and don't need @RunOnVertxContext — the HTTP layer handles the reactive context:

@QuarkusTest
class MyResourceTest {
    @Test
    void testEndpoint() {
        given()
            .header("Authorization", "Bearer " + token)
            .when().get("/api/things")
            .then()
            .statusCode(200)
            .body("size()", greaterThan(0));
    }
}

Multi-Organisation Security Testing

All organisation-scoped endpoints must be tested for cross-org data isolation. This is critical — the endpoint security audit found multiple cross-org access vulnerabilities.

Required Test Pattern

Every endpoint that returns org-scoped data needs a test like:

1. Create two organisations with separate members
2. Authenticate as member of org A
3. Attempt to access data belonging to org B
4. Assert 403 Forbidden or empty result

Test Fixtures

Multi-org test fixtures create:

• Two organisations (org A and org B)
• Members in each org (different roles)
• Workspaces, views, and data in each org
• API tokens scoped per workspace

What to Test

• Workspace list only returns workspaces for the authenticated user's org
• View/column endpoints reject requests from users in other orgs
• Database config and drift detection require org membership
• SSE streams only broadcast events for the connected user's workspace

Test coverage: ViewAndColumnWorkspaceIsolationTest (19 tests) and WorkspaceSecurityTest (16 tests).

RBAC Testing

Permission tests cover the full role hierarchy:

• Organisation roles (Owner, Admin, Member) inheritance to workspaces
• Workspace roles (Admin, Editor, Viewer, Member) inheritance to views
• View role overrides (promotion and restriction)
• Column-level permission grants (canRead, canWrite, isHidden)
• Private view access (explicit ViewMembership only)
• Guest access tokens (GUEST_VIEWER, GUEST_EDITOR)

Integration Tests

Integration tests use TestContainers for PostgreSQL and in-memory messaging (configured in .env.test). Tests run against real database instances with proper schema setup.