1. Testing Strategy
VitalNexa employs a layered testing strategy that combines automated testing at multiple levels with manual exploratory testing for UX-critical workflows. Given the healthcare nature of the application, security and data isolation tests receive elevated priority.
1.1 Testing Pyramid
| Level |
Scope |
Volume |
Speed |
| Unit Tests |
Individual functions, models, utilities, encryption helpers, validators |
High (200+) |
Fast (<30s total) |
| Integration Tests |
API endpoints with database, auth flows, file upload pipeline, RLS enforcement |
Medium (80+) |
Moderate (2-5 min) |
| End-to-End Tests |
Full user workflows: register, upload, chat, track results |
Low (20+) |
Slow (5-10 min) |
| Security Tests |
Injection, XSS, CORS, token tampering, privilege escalation |
Medium (40+) |
Moderate (3-5 min) |
2. Coverage Targets
| Component |
Target Coverage |
Current Coverage |
Status |
| Backend (FastAPI) |
80%+ |
76% |
In Progress |
| Frontend (React/TS) |
70%+ |
62% |
In Progress |
| Encryption Module |
95%+ |
97% |
Met |
| Auth Module |
90%+ |
91% |
Met |
| Database / RLS |
85%+ |
88% |
Met |
| Tool |
Purpose |
Layer |
pytest |
Backend unit and integration tests, fixtures, parametrized test cases |
Backend |
httpx (AsyncClient) |
Async HTTP client for testing FastAPI endpoints without a running server |
Backend |
pytest-cov |
Code coverage measurement and reporting |
Backend |
| React Testing Library |
Component rendering, user interaction simulation, accessibility queries |
Frontend |
| Vitest |
Test runner for React/TypeScript components, fast HMR-based execution |
Frontend |
| Playwright |
End-to-end browser automation across Chrome, Firefox, and Safari |
E2E |
| OWASP ZAP |
Automated security scanning for common web vulnerabilities |
Security |
4. Authentication Tests
4.1 Registration
- Successful registration with valid email and strong password returns 201 and sends verification email
- Registration with duplicate email returns 409 Conflict
- Registration with weak password (missing uppercase, numbers, special chars) returns 422 with specific error
- Registration with invalid email format returns 422
- Email verification with valid token activates account
- Email verification with expired token returns 400 with re-send option
4.2 Login
- Login with correct credentials returns access token and refresh token
- Login with incorrect password returns 401 and increments failed attempt counter
- Login with unverified email returns 403 with message to verify
- Login after 5 failed attempts returns 429 with lockout duration
- Login after lockout period expires succeeds with correct credentials
- Failed attempt counter resets after successful login
4.3 JWT Token Management
- Access token with valid signature grants API access
- Expired access token returns 401
- Tampered token (modified payload) returns 401
- Token with wrong signing key returns 401
- Refresh token generates new access token with updated expiration
- Revoked refresh token returns 401
5. API Tests
5.1 Test Results CRUD
- POST
/api/test-results with valid data creates entry and returns 201
- GET
/api/test-results returns only the authenticated user's entries
- GET
/api/test-results/{id} for own entry returns 200 with full data
- GET
/api/test-results/{id} for another user's entry returns 404 (not 403, to prevent enumeration)
- PUT
/api/test-results/{id} updates entry and returns 200
- DELETE
/api/test-results/{id} soft-deletes entry and returns 204
- Pagination parameters (limit, offset) return correct slices
- Filtering by biomarker type and date range works correctly
5.2 AI Wellness Chat
- POST
/api/chat with wellness question returns streamed response
- Chat response references user's lab data when relevant biomarkers exist
- Chat politely declines clinical diagnosis requests
- Chat includes wellness disclaimer for supplement/peptide guidance
- Unauthenticated chat request returns 401
- Chat handles empty message body gracefully (returns 422)
5.3 Health Record Upload
- POST
/api/records/upload with valid .pdf returns 201 and processes file
- POST
/api/records/upload with valid .txt returns 201 and processes file
- Upload of unsupported file type (.exe, .jpg) returns 415
- Upload exceeding 10 MB returns 413
- Uploaded document content is searchable in subsequent chat queries
- DELETE
/api/records/{id} removes file and its vector embeddings
6. Security Tests
6.1 Injection Prevention
- SQL injection in login fields (e.g.,
' OR 1=1 --) returns 401, not data
- SQL injection in query parameters does not bypass RLS
- NoSQL-style injection payloads are rejected
- Command injection in file upload filenames is sanitized
6.2 Cross-Site Scripting (XSS)
- Script tags in biomarker names are escaped in API responses
- Script tags in chat messages are escaped before rendering
- Event handler attributes in uploaded filenames are stripped
- Content-Security-Policy header prevents inline script execution
6.3 CORS and Headers
- CORS allows only the configured frontend origin
- Requests from unauthorized origins receive no Access-Control-Allow-Origin header
- Security headers present: X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security
6.4 Token Tampering
- JWT with modified
user_id claim is rejected
- JWT with modified
exp claim (extended expiry) is rejected
- JWT signed with
none algorithm is rejected
- JWT with algorithm confusion (RS256 vs HS256) is rejected
7. Encryption Tests
7.1 AES-256-GCM Roundtrip
- Encrypt then decrypt with same key returns original plaintext
- Decrypt with wrong key raises authentication error (GCM tag mismatch)
- Each encryption produces unique ciphertext (random IV/nonce)
- Ciphertext length is appropriate for plaintext length plus GCM overhead
- Empty string encryption and decryption works correctly
- Unicode text (names, addresses) survives encrypt/decrypt roundtrip
7.2 Key Versioning and Rotation
- Data encrypted with key v1 can be decrypted after rotation to key v2
- New encryptions use the latest key version
- Key version is stored alongside ciphertext for correct key selection
- Re-encryption migration correctly updates all records to latest key version
- Old key versions remain accessible until migration is confirmed complete
8. Multi-Tenancy Tests
- User A's test results are invisible to User B via API queries
- User A's uploaded health records are invisible to User B
- Direct database queries with User A's session context return only User A's rows
- RLS policies are enforced even when bypassing the API layer (direct SQL)
- Bulk operations (list, search) never leak cross-tenant data
- Chat RAG retrieval only indexes the authenticated user's documents
- Admin queries are appropriately scoped (if admin role exists)
9. HIPAA Audit Tests
- Every successful API request generates an audit log entry with user_id, action, timestamp, IP, status code
- Every failed API request (4xx, 5xx) generates an audit log entry
- Audit logs for health record access include the record identifier
- Audit logs cannot be modified or deleted via the API
- Audit log entries include request method, path, and response time
- Login attempts (both successful and failed) are logged with IP address
- Data deletion events are logged with the type and count of records affected
10. Frontend Tests
10.1 Component Tests (React Testing Library)
- Login form renders required fields and submits correctly
- Registration form validates password strength in real-time
- Chat interface renders messages, handles streaming, displays disclaimers
- File upload component accepts .txt and .pdf, rejects other types
- Biomarker trend chart renders with correct data points
- Dashboard displays most recent lab results summary
10.2 End-to-End Tests (Playwright)
- Full registration, email verification, and first login flow
- Upload a PDF lab report and verify it appears in the records list
- Enter bloodwork results and verify the trend chart updates
- Send a wellness chat message and receive a streamed AI response
- Verify locked account flow after repeated failed logins
11. Test Report Summary
The following table summarizes the current test status across all categories as of April 5, 2026.
| Test Category |
Total Tests |
Passing |
Failing |
Pending |
Status |
| Authentication (Unit) |
24 |
24 |
0 |
0 |
PASS |
| Authentication (Integration) |
18 |
17 |
0 |
1 |
IN PROGRESS |
| Test Results CRUD |
16 |
16 |
0 |
0 |
PASS |
| AI Wellness Chat |
12 |
10 |
0 |
2 |
IN PROGRESS |
| Health Record Upload |
10 |
10 |
0 |
0 |
PASS |
| Security (Injection) |
8 |
8 |
0 |
0 |
PASS |
| Security (XSS) |
8 |
8 |
0 |
0 |
PASS |
| Security (CORS/Headers) |
6 |
6 |
0 |
0 |
PASS |
| Security (Token Tampering) |
8 |
8 |
0 |
0 |
PASS |
| Encryption (AES-256-GCM) |
12 |
12 |
0 |
0 |
PASS |
| Encryption (Key Rotation) |
8 |
8 |
0 |
0 |
PASS |
| Multi-Tenancy (RLS) |
14 |
14 |
0 |
0 |
PASS |
| HIPAA Audit Logging |
10 |
10 |
0 |
0 |
PASS |
| Frontend Components |
22 |
18 |
1 |
3 |
IN PROGRESS |
| End-to-End (Playwright) |
8 |
5 |
0 |
3 |
IN PROGRESS |
Summary: 184 total tests across all categories. 174 passing, 1 failing (frontend chart rendering edge case under investigation), 9 pending. Overall pass rate: 94.6%. All security-critical test categories are fully passing.