Add server, routes, views, CLI, CSS, and integration tests

- Server factory with Fastify plugins (JWT, cookie, multipart, formbody, static)
- Auth middleware: requireAuth preHandler (401 for API, redirect for pages)
- Auth API routes: POST /api/v1/auth/login, POST /api/v1/auth/logout
- File API routes: GET/POST /api/v1/files, DELETE /api/v1/files/:id
- Page routes: /, /login, /logout, /upload, /files, /files/:id/delete, /f/:id, /f/:id/raw
- HTML views: layout, login, upload, file-list, file-view, not-found
- CLI register-user script
- public/style.css dark theme
- Test helpers: createTestApp, loginAs, buildMultipart
- Integration tests for auth API, file API, and page routes (51 tests passing)
- Update CLAUDE.md with red/green TDD and commit instructions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/helpers/setup.ts

@@ -0,0 +1,88 @@
+import { mkdtempSync, rmSync, mkdirSync } from 'fs';
+import { tmpdir } from 'os';
+import { join } from 'path';
+import { initDb } from '../../src/db/schema.ts';
+import { createServer } from '../../src/server.ts';
+import type { Config } from '../../src/config.ts';
+import type Database from 'better-sqlite3';
+import type { FastifyInstance } from 'fastify';
+
+export async function loginAs(app: FastifyInstance, username: string, password: string): Promise<string> {
+  const res = await app.inject({
+    method: 'POST',
+    url: '/api/v1/auth/login',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ username, password }),
+  });
+  const cookie = res.headers['set-cookie'] as string;
+  return cookie.split(';')[0].replace('token=', '');
+}
+
+export interface MultipartFile {
+  filename: string;
+  contentType: string;
+  data: Buffer;
+}
+
+export function buildMultipart(files: Record<string, MultipartFile>): { payload: Buffer; headers: Record<string, string> } {
+  const boundary = '----TestBoundary' + Math.random().toString(36).slice(2);
+  const parts: Buffer[] = [];
+
+  for (const [fieldname, file] of Object.entries(files)) {
+    parts.push(Buffer.from(
+      `--${boundary}\r\n` +
+      `Content-Disposition: form-data; name="${fieldname}"; filename="${file.filename}"\r\n` +
+      `Content-Type: ${file.contentType}\r\n\r\n`,
+    ));
+    parts.push(file.data);
+    parts.push(Buffer.from('\r\n'));
+  }
+  parts.push(Buffer.from(`--${boundary}--\r\n`));
+
+  return {
+    payload: Buffer.concat(parts),
+    headers: { 'content-type': `multipart/form-data; boundary=${boundary}` },
+  };
+}
+
+export interface TestContext {
+  app: FastifyInstance;
+  db: Database.Database;
+  uploadDir: string;
+  logFile: string;
+  cleanup: () => void;
+}
+
+export function createTestApp(): TestContext {
+  const tmpDir = mkdtempSync(join(tmpdir(), 'nanodrop-int-'));
+  const uploadDir = join(tmpDir, 'uploads');
+  const logFile = join(tmpDir, 'test.log');
+
+  mkdirSync(uploadDir, { recursive: true });
+
+  const db = initDb(':memory:');
+
+  const config: Config = {
+    port: 0,
+    host: '127.0.0.1',
+    jwtSecret: 'test-secret-key',
+    jwtExpiry: '1h',
+    dbPath: ':memory:',
+    uploadDir,
+    logFile,
+    maxFileSize: 10 * 1024 * 1024,
+    baseUrl: 'http://localhost:3000',
+    cookieSecure: false,
+    trustProxy: false,
+  };
+
+  const app = createServer({ config, db });
+
+  return {
+    app,
+    db,
+    uploadDir,
+    logFile,
+    cleanup: () => rmSync(tmpDir, { recursive: true, force: true }),
+  };
+}

tests/integration/auth-api.test.ts

@@ -0,0 +1,101 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { createTestApp, type TestContext } from '../helpers/setup.ts';
+import { createUser } from '../../src/db/users.ts';
+import { hashPassword } from '../../src/services/auth.ts';
+
+describe('POST /api/v1/auth/login', () => {
+  let ctx: TestContext;
+
+  beforeEach(async () => {
+    ctx = createTestApp();
+    const hash = await hashPassword('secret');
+    createUser(ctx.db, { username: 'alice', passwordHash: hash });
+  });
+
+  afterEach(async () => {
+    await ctx.app.close();
+    ctx.cleanup();
+  });
+
+  it('returns 200 and sets cookie on valid credentials', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/login',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ username: 'alice', password: 'secret' }),
+    });
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toEqual({ ok: true });
+    expect(res.headers['set-cookie']).toMatch(/token=/);
+  });
+
+  it('returns 401 on wrong password', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/login',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ username: 'alice', password: 'wrong' }),
+    });
+    expect(res.statusCode).toBe(401);
+  });
+
+  it('returns 401 on unknown user', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/login',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ username: 'ghost', password: 'x' }),
+    });
+    expect(res.statusCode).toBe(401);
+  });
+
+  it('returns 400 when fields are missing', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/login',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ username: 'alice' }),
+    });
+    expect(res.statusCode).toBe(400);
+  });
+});
+
+describe('POST /api/v1/auth/logout', () => {
+  let ctx: TestContext;
+  let token: string;
+
+  beforeEach(async () => {
+    ctx = createTestApp();
+    const hash = await hashPassword('secret');
+    createUser(ctx.db, { username: 'alice', passwordHash: hash });
+
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/login',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ username: 'alice', password: 'secret' }),
+    });
+    const cookie = res.headers['set-cookie'] as string;
+    token = cookie.split(';')[0].replace('token=', '');
+  });
+
+  afterEach(async () => {
+    await ctx.app.close();
+    ctx.cleanup();
+  });
+
+  it('clears cookie on logout', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/auth/logout',
+      cookies: { token },
+    });
+    expect(res.statusCode).toBe(200);
+    expect(res.headers['set-cookie']).toMatch(/token=;/);
+  });
+
+  it('returns 401 without cookie', async () => {
+    const res = await ctx.app.inject({ method: 'POST', url: '/api/v1/auth/logout' });
+    expect(res.statusCode).toBe(401);
+  });
+});

tests/integration/files-api.test.ts

@@ -0,0 +1,120 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { createTestApp, type TestContext, loginAs, buildMultipart } from '../helpers/setup.ts';
+import { createUser } from '../../src/db/users.ts';
+import { hashPassword } from '../../src/services/auth.ts';
+
+describe('GET /api/v1/files', () => {
+  let ctx: TestContext;
+  let token: string;
+
+  beforeEach(async () => {
+    ctx = createTestApp();
+    const hash = await hashPassword('secret');
+    createUser(ctx.db, { username: 'alice', passwordHash: hash });
+    token = await loginAs(ctx.app, 'alice', 'secret');
+  });
+
+  afterEach(async () => {
+    await ctx.app.close();
+    ctx.cleanup();
+  });
+
+  it('returns empty list for new user', async () => {
+    const res = await ctx.app.inject({
+      method: 'GET',
+      url: '/api/v1/files',
+      cookies: { token },
+    });
+    expect(res.statusCode).toBe(200);
+    expect(res.json().files).toEqual([]);
+  });
+
+  it('returns 401 without auth', async () => {
+    const res = await ctx.app.inject({ method: 'GET', url: '/api/v1/files' });
+    expect(res.statusCode).toBe(401);
+  });
+});
+
+describe('POST /api/v1/files', () => {
+  let ctx: TestContext;
+  let token: string;
+
+  beforeEach(async () => {
+    ctx = createTestApp();
+    const hash = await hashPassword('secret');
+    createUser(ctx.db, { username: 'alice', passwordHash: hash });
+    token = await loginAs(ctx.app, 'alice', 'secret');
+  });
+
+  afterEach(async () => {
+    await ctx.app.close();
+    ctx.cleanup();
+  });
+
+  it('uploads a file and returns url', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/files',
+      cookies: { token },
+      ...buildMultipart({ file: { filename: 'test.txt', contentType: 'text/plain', data: Buffer.from('hello') } }),
+    });
+    expect(res.statusCode).toBe(201);
+    const body = res.json();
+    expect(body.url).toMatch(/\/f\//);
+    expect(body.file.original_name).toBe('test.txt');
+  });
+
+  it('returns 401 without auth', async () => {
+    const res = await ctx.app.inject({ method: 'POST', url: '/api/v1/files' });
+    expect(res.statusCode).toBe(401);
+  });
+});
+
+describe('DELETE /api/v1/files/:id', () => {
+  let ctx: TestContext;
+  let token: string;
+  let fileId: string;
+
+  beforeEach(async () => {
+    ctx = createTestApp();
+    const hash = await hashPassword('secret');
+    createUser(ctx.db, { username: 'alice', passwordHash: hash });
+    token = await loginAs(ctx.app, 'alice', 'secret');
+
+    const uploadRes = await ctx.app.inject({
+      method: 'POST',
+      url: '/api/v1/files',
+      cookies: { token },
+      ...buildMultipart({ file: { filename: 'f.txt', contentType: 'text/plain', data: Buffer.from('data') } }),
+    });
+    fileId = uploadRes.json().file.id;
+  });
+
+  afterEach(async () => {
+    await ctx.app.close();
+    ctx.cleanup();
+  });
+
+  it('deletes an owned file', async () => {
+    const res = await ctx.app.inject({
+      method: 'DELETE',
+      url: `/api/v1/files/${fileId}`,
+      cookies: { token },
+    });
+    expect(res.statusCode).toBe(200);
+  });
+
+  it('returns 404 for non-existent file', async () => {
+    const res = await ctx.app.inject({
+      method: 'DELETE',
+      url: '/api/v1/files/doesnotexist',
+      cookies: { token },
+    });
+    expect(res.statusCode).toBe(404);
+  });
+
+  it('returns 401 without auth', async () => {
+    const res = await ctx.app.inject({ method: 'DELETE', url: `/api/v1/files/${fileId}` });
+    expect(res.statusCode).toBe(401);
+  });
+});

tests/integration/pages.test.ts

@@ -0,0 +1,164 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { createTestApp, type TestContext, loginAs, buildMultipart } from '../helpers/setup.ts';
+import { createUser } from '../../src/db/users.ts';
+import { hashPassword } from '../../src/services/auth.ts';
+
+async function setup() {
+  const ctx = createTestApp();
+  const hash = await hashPassword('secret');
+  createUser(ctx.db, { username: 'alice', passwordHash: hash });
+  return ctx;
+}
+
+describe('GET /', () => {
+  let ctx: TestContext;
+
+  beforeEach(async () => { ctx = await setup(); });
+  afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
+
+  it('shows login page when unauthenticated', async () => {
+    const res = await ctx.app.inject({ method: 'GET', url: '/' });
+    expect(res.statusCode).toBe(200);
+    expect(res.headers['content-type']).toMatch(/text\/html/);
+    expect(res.body).toContain('Sign in');
+  });
+
+  it('redirects to /upload when authenticated', async () => {
+    const token = await loginAs(ctx.app, 'alice', 'secret');
+    const res = await ctx.app.inject({ method: 'GET', url: '/', cookies: { token } });
+    expect(res.statusCode).toBe(302);
+    expect(res.headers['location']).toBe('/upload');
+  });
+});
+
+describe('POST /login (page)', () => {
+  let ctx: TestContext;
+
+  beforeEach(async () => { ctx = await setup(); });
+  afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
+
+  it('redirects to /upload on valid credentials', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/login',
+      headers: { 'content-type': 'application/x-www-form-urlencoded' },
+      payload: 'username=alice&password=secret',
+    });
+    expect(res.statusCode).toBe(302);
+    expect(res.headers['location']).toBe('/upload');
+    expect(res.headers['set-cookie']).toMatch(/token=/);
+  });
+
+  it('shows login page with error on invalid credentials', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/login',
+      headers: { 'content-type': 'application/x-www-form-urlencoded' },
+      payload: 'username=alice&password=wrong',
+    });
+    expect(res.statusCode).toBe(200);
+    expect(res.body).toContain('Invalid');
+  });
+});
+
+describe('GET /upload + POST /upload', () => {
+  let ctx: TestContext;
+  let token: string;
+
+  beforeEach(async () => {
+    ctx = await setup();
+    token = await loginAs(ctx.app, 'alice', 'secret');
+  });
+  afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
+
+  it('shows upload form', async () => {
+    const res = await ctx.app.inject({ method: 'GET', url: '/upload', cookies: { token } });
+    expect(res.statusCode).toBe(200);
+    expect(res.body).toContain('Upload');
+  });
+
+  it('redirects to / when not authenticated', async () => {
+    const res = await ctx.app.inject({ method: 'GET', url: '/upload' });
+    expect(res.statusCode).toBe(302);
+    expect(res.headers['location']).toBe('/');
+  });
+
+  it('shows result page after upload', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: '/upload',
+      cookies: { token },
+      ...buildMultipart({ file: { filename: 'doc.txt', contentType: 'text/plain', data: Buffer.from('content') } }),
+    });
+    expect(res.statusCode).toBe(200);
+    expect(res.body).toContain('doc.txt');
+    expect(res.body).toContain('/f/');
+  });
+});
+
+describe('GET /f/:id and GET /f/:id/raw', () => {
+  let ctx: TestContext;
+  let fileId: string;
+
+  beforeEach(async () => {
+    ctx = await setup();
+    const token = await loginAs(ctx.app, 'alice', 'secret');
+    const uploadRes = await ctx.app.inject({
+      method: 'POST',
+      url: '/upload',
+      cookies: { token },
+      ...buildMultipart({ file: { filename: 'hello.txt', contentType: 'text/plain', data: Buffer.from('hello!') } }),
+    });
+    // Extract file id from response body
+    const match = uploadRes.body.match(/\/f\/([^/"]+)/);
+    fileId = match?.[1] ?? '';
+  });
+  afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
+
+  it('shows file view page', async () => {
+    const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}` });
+    expect(res.statusCode).toBe(200);
+    expect(res.body).toContain('hello.txt');
+  });
+
+  it('serves raw file', async () => {
+    const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}/raw` });
+    expect(res.statusCode).toBe(200);
+    expect(res.body).toBe('hello!');
+  });
+
+  it('returns 404 for unknown file', async () => {
+    const res = await ctx.app.inject({ method: 'GET', url: '/f/doesnotexist' });
+    expect(res.statusCode).toBe(404);
+  });
+});
+
+describe('POST /files/:id/delete', () => {
+  let ctx: TestContext;
+  let token: string;
+  let fileId: string;
+
+  beforeEach(async () => {
+    ctx = await setup();
+    token = await loginAs(ctx.app, 'alice', 'secret');
+    const uploadRes = await ctx.app.inject({
+      method: 'POST',
+      url: '/upload',
+      cookies: { token },
+      ...buildMultipart({ file: { filename: 'del.txt', contentType: 'text/plain', data: Buffer.from('bye') } }),
+    });
+    const match = uploadRes.body.match(/\/f\/([^/"]+)/);
+    fileId = match?.[1] ?? '';
+  });
+  afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
+
+  it('deletes and redirects to /files', async () => {
+    const res = await ctx.app.inject({
+      method: 'POST',
+      url: `/files/${fileId}/delete`,
+      cookies: { token },
+    });
+    expect(res.statusCode).toBe(302);
+    expect(res.headers['location']).toBe('/files');
+  });
+});