From 125e59fb7915a269e30198618a7c077e9b24ca7d Mon Sep 17 00:00:00 2001
From: shankar0123 <skreddy040@gmail.com>
Date: Mon, 11 May 2026 14:37:36 +0000
Subject: [PATCH] test(client): mock headers.get() so 401 tests survive HIGH-8
 WWW-Authenticate read

Audit 2026-05-10 HIGH-8 closure landed a parseWWWAuthenticateCause()
call in api/client.ts (line 144) that reads res.headers.get(...) on the
401 path. The two test files in web/src/api/ both provide a Response
mock with no headers property, so every 401 test threw 'Cannot read
properties of undefined (reading get)' instead of the expected
'Authentication required'.

13 tests fail without this fix: 12 in client.error.test.ts (one per
401-mapped endpoint helper) + 1 in client.test.ts (the auth-required
event-dispatch test).

Fix: add headers: { get: () => null } to both mockErrorResponse helpers.
The null return short-circuits parseWWWAuthenticateCause to the default
'Authentication required' message, so every existing 401 assertion
keeps passing.
---
 web/src/api/client.error.test.ts | 4 ++++
 web/src/api/client.test.ts       | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/web/src/api/client.error.test.ts b/web/src/api/client.error.test.ts
index 8c4ea98..34326ca 100644
--- a/web/src/api/client.error.test.ts
+++ b/web/src/api/client.error.test.ts
@@ -51,6 +51,10 @@ function mockErrorResponse(status: number, body: { message?: string; error?: str
     status,
     json: () => Promise.resolve(body),
     statusText: 'Error',
+    // Audit 2026-05-10 HIGH-8 closure landed a WWW-Authenticate-header
+    // read in the 401 path (src/api/client.ts L144). The mock needs a
+    // headers.get() so the read doesn't throw against an undefined.
+    headers: { get: () => null } as unknown as Headers,
   } as Response);
 }
 
diff --git a/web/src/api/client.test.ts b/web/src/api/client.test.ts
index 1068043..be89a6b 100644
--- a/web/src/api/client.test.ts
+++ b/web/src/api/client.test.ts
@@ -120,6 +120,10 @@ function mockErrorResponse(status: number, body: { message?: string; error?: str
     status,
     json: () => Promise.resolve(body),
     statusText: 'Error',
+    // Audit 2026-05-10 HIGH-8 closure landed a WWW-Authenticate-header
+    // read in the 401 path (src/api/client.ts L144). The mock needs a
+    // headers.get() so the read doesn't throw against an undefined.
+    headers: { get: () => null } as unknown as Headers,
   } as Response);
 }