Work in progress so considere this more like a brain dump than battle-tested knowledge (although the ideas do come from the trenches).
Testing unexported functions
Java developers have strong incentives and toolings to decide on whether methods should be public and private. Python or Node leave this decision to conventions, developer preferences, practices or dices.
My approach is to consider functions private by default, and export them only if necessary. This enforces clean and secure API, in a deliberate way.
My issue with javascript is that whenever I follow this practice, I cannot test unexported functions, making internal gears uncertain. As usual in Js you can find frameworks to solve it, and probably smart articles I didn't read, but here is my KISS (Keep It Simple Stupid) solution:
./security.js
function _encrypt(password) {
return '*****'
}
function save(password) {
_encrypt(password)
}
module.exports = { save, _private: { _encrypt } }
./security.test.js
const security = require('./security.js')
test('password is encrypted', () => {
expect(_pivate._encrypt(password)).toBe('*****')
})
Using Jest syntaxt here
Should you or your users import _encrypt()
, they would really mean it.
Other ideas