From fc8e1d11533da8fe14d1aa2ad6ddfa8e5442b097 Mon Sep 17 00:00:00 2001
From: lempkey <leovillalbajr@gmail.com>
Date: Mon, 6 Apr 2026 16:28:42 +0100
Subject: [PATCH] test: add over-broad route guard test and address Greptile
 review

---
 server/src/__tests__/express5-auth-wildcard.test.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/server/src/__tests__/express5-auth-wildcard.test.ts b/server/src/__tests__/express5-auth-wildcard.test.ts
index d3e8d618..2771afe1 100644
--- a/server/src/__tests__/express5-auth-wildcard.test.ts
+++ b/server/src/__tests__/express5-auth-wildcard.test.ts
@@ -38,6 +38,15 @@ describe("Express 5 /api/auth wildcard route", () => {
     expect(res.status).toBe(200);
   });
 
+  it("does not match unrelated paths outside /api/auth", async () => {
+    // Confirm the route is not over-broad — requests to other API paths
+    // must fall through to 404 and not reach the better-auth handler.
+    const { app, handler } = buildApp();
+    const res = await request(app).get("/api/other/endpoint");
+    expect(res.status).toBe(404);
+    expect(handler).not.toHaveBeenCalled();
+  });
+
   it("invokes the handler for every matched sub-path", async () => {
     const { app, handler } = buildApp();
     await request(app).post("/api/auth/sign-out");