server/models: refactor apiKey to its own file & add test

Author: clairep94

server/models/__test__/apiKey.test.ts

@@ -0,0 +1,51 @@
+import mongoose, { model } from 'mongoose';
+import { apiKeySchema } from '../apiKey';
+
+const ApiKey = model('ApiKey', apiKeySchema);
+
+describe('ApiKey schema', () => {
+  it('should set default label and generate an id virtual', () => {
+    const doc = new ApiKey({ hashedKey: 'supersecret' });
+
+    expect(doc.label).toBe('API Key');
+
+    // _id is always generated
+    expect(doc._id).toBeInstanceOf(mongoose.Types.ObjectId);
+
+    // id virtual is stringified _id
+    expect(typeof doc.id).toBe('string');
+    expect(doc.id).toEqual(doc._id.toHexString());
+  });
+
+  it('should exclude hashedKey from toObject and toJSON', () => {
+    const doc = new ApiKey({ hashedKey: 'supersecret', label: 'Test Key' });
+
+    const obj = doc.toObject();
+    const json = doc.toJSON();
+
+    expect(obj).not.toHaveProperty('hashedKey');
+    expect(json).not.toHaveProperty('hashedKey');
+  });
+
+  it('should include id, label, lastUsedAt, createdAt and updatedAt in output', () => {
+    const now = new Date();
+    const doc = new ApiKey({
+      hashedKey: 'supersecret',
+      label: 'My Key',
+      lastUsedAt: now
+    });
+
+    // mock timestamps (normally set on save)
+    doc.createdAt = new Date('2025-01-01T00:00:00Z');
+    doc.updatedAt = new Date('2025-01-02T00:00:00Z');
+
+    const obj = doc.toObject();
+
+    expect(obj).toMatchObject({
+      id: expect.any(String),
+      label: 'My Key',
+      lastUsedAt: now,
+      createdAt: new Date('2025-01-01T00:00:00Z')
+    });
+  });
+});

server/models/apiKey.js

@@ -0,0 +1,37 @@
+import mongoose, { Schema } from 'mongoose';
+
+export const apiKeySchema = new Schema(
+  {
+    label: { type: String, default: 'API Key' },
+    lastUsedAt: { type: Date },
+    hashedKey: { type: String, required: true }
+  },
+  { timestamps: true, _id: true }
+);
+
+apiKeySchema.virtual('id').get(function getApiKeyId() {
+  return this._id.toHexString();
+});
+
+/**
+ * When serialising an APIKey instance, the `hashedKey` field
+ * should never be exposed to the client. So we only return
+ * a safe list of fields when toObject and toJSON are called.
+ */
+function apiKeyMetadata(doc, ret, options) {
+  return {
+    id: doc.id,
+    label: doc.label,
+    lastUsedAt: doc.lastUsedAt,
+    createdAt: doc.createdAt
+  };
+}
+
+apiKeySchema.set('toObject', {
+  transform: apiKeyMetadata
+});
+
+apiKeySchema.set('toJSON', {
+  virtuals: true,
+  transform: apiKeyMetadata
+});

server/models/user.js

@@ -1,5 +1,6 @@
 import mongoose from 'mongoose';
 import bcrypt from 'bcryptjs';
+import { apiKeySchema } from './apiKey';
 
 const EmailConfirmationStates = {
   Verified: 'verified',
@@ -9,42 +10,6 @@ const EmailConfirmationStates = {
 
 const { Schema } = mongoose;
 
-const apiKeySchema = new Schema(
-  {
-    label: { type: String, default: 'API Key' },
-    lastUsedAt: { type: Date },
-    hashedKey: { type: String, required: true }
-  },
-  { timestamps: true, _id: true }
-);
-
-apiKeySchema.virtual('id').get(function getApiKeyId() {
-  return this._id.toHexString();
-});
-
-/**
- * When serialising an APIKey instance, the `hashedKey` field
- * should never be exposed to the client. So we only return
- * a safe list of fields when toObject and toJSON are called.
- */
-function apiKeyMetadata(doc, ret, options) {
-  return {
-    id: doc.id,
-    label: doc.label,
-    lastUsedAt: doc.lastUsedAt,
-    createdAt: doc.createdAt
-  };
-}
-
-apiKeySchema.set('toObject', {
-  transform: apiKeyMetadata
-});
-
-apiKeySchema.set('toJSON', {
-  virtuals: true,
-  transform: apiKeyMetadata
-});
-
 const userSchema = new Schema(
   {
     name: { type: String, default: '' },