test: stabilize e2e auth and rate limits

backend/.dockerignore

@@ -9,3 +9,5 @@ dist
 *.log
 prisma/dev.db
 prisma/dev.db-journal
+prisma/*.db
+prisma/*.db-*

backend/docker-entrypoint.sh

@@ -25,6 +25,15 @@ if [ -f "/app/prisma/dev.db" ]; then
     chmod 666 /app/prisma/dev.db
 fi
 
+# Optionally reset the database (used for E2E runs)
+if [ "${RESET_DB_ON_START}" = "true" ]; then
+    DB_PATH="${DATABASE_URL#file:}"
+    if [ "$DB_PATH" != "$DATABASE_URL" ]; then
+        echo "Resetting database at ${DB_PATH}..."
+        rm -f "${DB_PATH}" "${DB_PATH}-journal" "${DB_PATH}-wal" "${DB_PATH}-shm"
+    fi
+fi
+
 # 3. Run Migrations (Drop privileges to nodejs)
 echo "Running database migrations..."
 su-exec nodejs npx prisma migrate deploy

backend/src/__tests__/auth.integration.test.ts

@@ -20,8 +20,8 @@ describe("Authentication flows", () => {
     setupTestDb();
     prisma = getTestPrisma();
     await initTestDb(prisma);
-    const appModule = await import("../index");
-    app = appModule.default || appModule.app || appModule;
+    const appModule = (await import("../index")) as { default: unknown };
+    app = appModule.default;
   });
 
   beforeEach(async () => {
@@ -51,7 +51,9 @@ describe("Authentication flows", () => {
       .set("x-csrf-token", token)
       .send({ username: "admin", password: "password123" });
 
-    return login.headers["set-cookie"] as string[] | undefined;
+    const cookies = login.headers["set-cookie"];
+    if (!cookies) return undefined;
+    return Array.isArray(cookies) ? cookies : [cookies];
   };
 
   afterAll(async () => {

backend/src/index.ts

@@ -804,6 +804,55 @@ app.post("/auth/password", async (req, res) => {
   return res.json(authChangePasswordResponse(updated));
 });
 
+app.post("/auth/test/must-reset", async (req, res) => {
+  if (process.env.NODE_ENV !== "test") {
+    return res.status(404).json({
+      error: "Not found",
+      message: "Endpoint is only available in test environments.",
+    });
+  }
+
+  const session = getAuthSessionFromCookie(req.headers.cookie, authConfig);
+  if (!session) {
+    return res.status(401).json({
+      error: "Unauthorized",
+      message: "Authentication required",
+    });
+  }
+
+  const currentUser = await prisma.user.findUnique({
+    where: { id: session.userId },
+    select: { id: true, role: true },
+  });
+
+  if (!currentUser || currentUser.role !== "ADMIN") {
+    return res.status(403).json({
+      error: "Forbidden",
+      message: "Admin privileges required.",
+    });
+  }
+
+  const payloadSchema = z.object({ enabled: z.boolean() });
+  const parsed = payloadSchema.safeParse(req.body);
+  if (!parsed.success) {
+    return res.status(400).json({
+      error: "Invalid payload",
+      message: "Expected { enabled: boolean }.",
+    });
+  }
+
+  const updated = await prisma.user.update({
+    where: { id: currentUser.id },
+    data: { mustResetPassword: parsed.data.enabled },
+    select: { id: true, username: true, email: true, role: true, mustResetPassword: true },
+  });
+
+  res.setHeader("Cache-Control", "no-store");
+  return res.json({
+    user: toAuthUserWithResetFlag(updated as AuthenticatedUser & { mustResetPassword: boolean }),
+  });
+});
+
 app.post("/auth/register", async (req, res) => {
   const config = await getSystemConfig();
   const existingUsers = await prisma.user.count();
@@ -1930,11 +1979,16 @@ const ensureTrashCollection = async () => {
   }
 };
 
+const shouldEnsureInitialAdmin =
+  process.env.NODE_ENV !== "test" && process.env.SKIP_INITIAL_ADMIN !== "true";
+
 httpServer.listen(PORT, async () => {
   await initializeUploadDir();
   await ensureTrashCollection();
   await ensureSystemConfig();
-  await ensureInitialAdminUser();
+  if (shouldEnsureInitialAdmin) {
+    await ensureInitialAdminUser();
+  }
   console.log(`Server running on port ${PORT}`);
 });