Testing RLS policies, server action isolation, integration tests with real database, and E2E patterns.
BeforeMerge offers hundreds of code review rules, guides, and detection patterns to help your team ship better code.
RLS bugs are silent data breaches. Test them explicitly.
describe("RLS: scans table", () => {
test("user can only see own org scans", async () => {
const client = await createAuthClient(userA)
const { data } = await client.from("scans").select("*")
expect(data.every(s => s.organization_id === orgA.id)).toBe(true)
})
test("user cannot see other org scans", async () => {
const client = await createAuthClient(userA)
const { data } = await client
.from("scans")
.select("*")
.eq("organization_id", orgB.id)
expect(data).toHaveLength(0)
})
})Server actions are async functions — test them without UI.
test("createRule requires auth", async () => {
vi.mocked(requireAuth).mockRejectedValue(new Error("Unauthorized"))
await expect(createRule(mockData)).rejects.toThrow()
})Use a real Supabase instance, not mocks.
// Use local Supabase: npx supabase start
const supabase = createClient(LOCAL_URL, LOCAL_ANON_KEY)