chore(tests): remove obsolete API_KEY references from test suite

[namtroi]

User description

• Remove API_KEY export and env.API_KEY from e2e-setup.ts
• Remove X-API-Key headers from 3 E2E tests and 8 integration tests
• Remove authHeaders() function from tests/helpers/api.ts
• Auth middleware now demo mode (no-op), making API key checks dead code

All 184 unit tests, integration tests, and E2E tests pass.

---

PR Type

Tests

---

Description

• Remove API_KEY export from e2e-setup.ts and all test files

• Remove X-API-Key headers from 11 E2E and integration tests

• Remove authHeaders() helper function from tests/helpers/api.ts

• Auth middleware now operates in demo mode, eliminating API key checks

---

Diagram Walkthrough

flowchart LR
  A["API_KEY constant<br/>and exports"] -->|removed| B["e2e-setup.ts"]
  C["X-API-Key<br/>headers"] -->|removed| D["11 test files"]
  E["authHeaders()<br/>helper function"] -->|removed| F["tests/helpers/api.ts"]
  G["Auth middleware<br/>demo mode"] -->|eliminates| H["API key validation"]

Loading

File Walkthrough

Relevant files

Tests

13 files error-handling.test.ts Remove API_KEY import and header usage                                      +1/-13    pdf-upload-flow.test.ts Remove API_KEY import and header usage                                      +1/-5      query-flow.test.ts Remove API_KEY import and header usage                                      +1/-7      e2e-setup.ts Remove API_KEY environment variable and export                      +1/-2      api.ts Remove authHeaders() helper function                                          +2/-15    analytics-e2e.test.ts Remove API_KEY constant and header usage                                  +6/-6      chunks-api.test.ts Remove API_KEY constant and header usage                                  +15/-15  content-route.test.ts Remove API_KEY constant and header usage                                  +8/-8      availability-route.test.ts Remove API_KEY constant and header usage                                  +15/-15  delete-route.test.ts Remove API_KEY constant and header usage                                  +14/-14  retry-route.test.ts Remove API_KEY constant and header usage                                  +14/-14  list-route.test.ts Remove API_KEY constant and header usage                                  +19/-19  status-route.test.ts Remove API_KEY constant and header usage                                  +8/-8

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Authentication mechanism is no longer tested The PR removes all API key checks from tests, leaving the authentication middleware without test coverage. A separate test suite should be added to validate authentication logic and prevent future security regressions. Examples: apps/backend/tests/e2e/pdf-upload-flow.test.ts [27-33] method: 'POST', url: '/api/documents', headers: { 'Content-Type': 'multipart/form-data; boundary=---e2e', }, payload: createMultipartPayload('test.pdf', pdfBuffer, 'application/pdf'), }); apps/backend/tests/integration/routes/chunks-api.test.ts [52-56] const response = await app.inject({ method: 'GET', url: '/api/chunks', }); Solution Walkthrough: Before: // In various e2e and integration tests import { API_KEY, ... } from '@tests/e2e/setup/e2e-setup.js'; describe('API Endpoint Test', () => { it('should successfully call an endpoint', async () => { const response = await app.inject({ method: 'GET', url: '/api/documents', headers: { 'X-API-Key': API_KEY }, // Authentication header is required }); expect(response.statusCode).toBe(200); }); }); After: // Current state in PR (no auth tests) describe('API Endpoint Test', () => { it('should successfully call an endpoint', async () => { const response = await app.inject({ method: 'GET', url: '/api/documents', // No authentication header }); expect(response.statusCode).toBe(200); }); }); // Suggested new, separate test suite describe('Authentication Middleware', () => { // Tests run with auth middleware enabled it('should reject requests with no API key'); it('should reject requests with an invalid API key'); it('should accept requests with a valid API key'); }); Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that removing API key checks from tests eliminates coverage for the authentication middleware, which is a critical security risk for future development.	High
General	Remove unnecessary empty line In apps/backend/tests/integration/routes/chunks-api.test.ts, remove the unnecessary empty line inside the beforeAll hook to improve code cleanliness. apps/backend/tests/integration/routes/chunks-api.test.ts [6-13] describe('Chunks Explorer API', () => { let app: any; - beforeAll(async () => { - app = await createTestApp(); }); Apply / Chat Suggestion importance[1-10]: 2 __ Why: The suggestion correctly identifies and proposes to remove empty lines left over from code deletion, which is a minor code style improvement.	Low
More