RealDevSquad · AnujChhikara · Jan 29, 2026
diff --git a/test/integration/application.test.ts b/test/integration/application.test.ts
@@ -356,6 +356,153 @@ describe("Application", function () {
     });
   });
 
+  describe("PATCH /applications/:applicationId", function () {
+    it("should return 200 and update application when owner sends valid payload", function (done) {
+      chai
+        .request(app)
+        .patch(`/applications/${applicationId1}`)
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ introduction: "Updated introduction text" })
+        .end((err, res) => {
+          if (err) {
+            return done(err);
+          }
+
+          expect(res).to.have.status(200);
+          expect(res.body.message).to.be.equal("Application updated successfully!");
+          return done();
+        });
+    });
+
+    it("should return 400 when request body is empty", function (done) {
+      chai
+        .request(app)
+        .patch(`/applications/${applicationId1}`)
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({})
+        .end((err, res) => {
+          if (err) {
+            return done(err);
+          }
+
+          expect(res).to.have.status(400);
+          expect(res.body.error).to.be.equal("Bad Request");
+          expect(res.body.message).to.include("at least one allowed field");
+          return done();
+        });
+    });
+
+    it("should return 400 when request body contains disallowed field", function (done) {
+      chai
+        .request(app)
+        .patch(`/applications/${applicationId1}`)
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ batman: true })
+        .end((err, res) => {
+          if (err) {
+            return done(err);
+          }
+
+          expect(res).to.have.status(400);
+          expect(res.body.error).to.be.equal("Bad Request");
+          return done();
+        });
+    });
+
+    it("should return 400 when imageUrl is not a valid URI", function (done) {
+      chai
+        .request(app)
+        .patch(`/applications/${applicationId1}`)
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ imageUrl: "not-a-valid-uri" })
+        .end((err, res) => {
+          if (err) {
+            return done(err);
+          }
+
+          expect(res).to.have.status(400);
+          expect(res.body.error).to.be.equal("Bad Request");
+          return done();
+        });
+    });
+
+    it("should return 404 when application does not exist", function (done) {
+      chai
+        .request(app)
+        .patch(`/applications/non-existent-application-id`)
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ introduction: "Updated" })
+        .end((err, res) => {
+          if (err) {
+            return done(err);
+          }
+
+          expect(res).to.have.status(404);
+          expect(res.body.error).to.be.equal("Not Found");
+          expect(res.body.message).to.be.equal("Application not found");
+          return done();
+        });
+    });
+
+    it("should return 401 when user is not authenticated", function (done) {
+      chai
+        .request(app)
+        .patch(`/applications/${applicationId1}`)
+        .send({ introduction: "Updated" })
+        .end((err, res) => {
+          if (err) {
+            return done(err);
+          }
+
+          expect(res).to.have.status(401);
+          expect(res.body.error).to.be.equal("Unauthorized");
+          expect(res.body.message).to.be.equal("Unauthenticated User");
+          return done();
+        });
+    });
+
+    it("should return 401 when user does not own the application", function (done) {
+      chai
+        .request(app)
+        .patch(`/applications/${applicationId1}`)
+        .set("cookie", `${cookieName}=${secondUserJwt}`)
+        .send({ introduction: "Updated" })
+        .end((err, res) => {
+          if (err) {
+            return done(err);
+          }
+
+          expect(res).to.have.status(401);
+          expect(res.body.error).to.be.equal("Unauthorized");
+          expect(res.body.message).to.be.equal("You are not authorized to edit this application");
+          return done();
+        });
+    });
+
+    it("should return 409 when edit is attempted within 24 hours of last edit", async function () {
+      const applicationForEditTest = { ...applicationsData[0], userId };
+      const editTestApplicationId = await applicationModel.addApplication(applicationForEditTest);
+
+      const firstRes = await chai
+        .request(app)
+        .patch(`/applications/${editTestApplicationId}`)
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ introduction: "First edit" });
+
+      expect(firstRes).to.have.status(200);
+
+      const secondRes = await chai
+        .request(app)
+        .patch(`/applications/${editTestApplicationId}`)
+        .set("cookie", `${cookieName}=${jwt}`)
+        .send({ foundFrom: "Second edit" });
+
+      expect(secondRes).to.have.status(409);
+      expect(secondRes.body.error).to.be.equal("Conflict");
+      expect(secondRes.body.message).to.be.equal(APPLICATION_ERROR_MESSAGES.EDIT_TOO_SOON);
+    });
+  });
+
   describe("PATCH /applications/:applicationId/feedback", function () {
     it("should return 200 if the user is super user and application feedback is submitted", function (done) {
       chai

diff --git a/test/unit/controllers/applications.test.ts b/test/unit/controllers/applications.test.ts
@@ -3,7 +3,152 @@ import sinon from "sinon";
 import { CustomRequest, CustomResponse } from "../../../types/global";
 const applicationsController = require("../../../controllers/applications");
 const ApplicationModel = require("../../../models/applications");
+const logsModel = require("../../../models/logs");
 const { API_RESPONSE_MESSAGES, APPLICATION_ERROR_MESSAGES } = require("../../../constants/application");
+const { APPLICATION_STATUS } = require("../../../constants/application");
+
+describe("updateApplication", () => {
+  let req: Partial<CustomRequest>;
+  let res: Partial<CustomResponse> & {
+    json: sinon.SinonSpy;
+    boom: {
+      notFound: sinon.SinonSpy;
+      unauthorized: sinon.SinonSpy;
+      conflict: sinon.SinonSpy;
+      badImplementation: sinon.SinonSpy;
+    };
+  };
+  let jsonSpy: sinon.SinonSpy;
+  let boomNotFound: sinon.SinonSpy;
+  let boomUnauthorized: sinon.SinonSpy;
+  let boomConflict: sinon.SinonSpy;
+  let boomBadImplementation: sinon.SinonSpy;
+  let updateApplicationStub: sinon.SinonStub;
+  let addLogStub: sinon.SinonStub;
+
+  const mockApplicationId = "app-id-123";
+  const mockUserId = "user-id-456";
+  const mockUsername = "testuser";
+
+  beforeEach(() => {
+    jsonSpy = sinon.spy();
+    boomNotFound = sinon.spy();
+    boomUnauthorized = sinon.spy();
+    boomConflict = sinon.spy();
+    boomBadImplementation = sinon.spy();
+
+    req = {
+      params: { applicationId: mockApplicationId },
+      body: { introduction: "Updated introduction text" },
+      userData: { id: mockUserId, username: mockUsername },
+    };
+
+    res = {
+      json: jsonSpy,
+      boom: {
+        notFound: boomNotFound,
+        unauthorized: boomUnauthorized,
+        conflict: boomConflict,
+        badImplementation: boomBadImplementation,
+      },
+    };
+
+    updateApplicationStub = sinon.stub(ApplicationModel, "updateApplication");
+    addLogStub = sinon.stub(logsModel, "addLog").resolves();
+  });
+
+  afterEach(() => {
+    sinon.restore();
+  });
+
+  describe("Success cases", () => {
+    it("should return 200 and log when update succeeds", async () => {
+      updateApplicationStub.resolves({ status: APPLICATION_STATUS.success });
+
+      await applicationsController.updateApplication(req as CustomRequest, res as CustomResponse);
+
+      expect(updateApplicationStub.calledOnce).to.be.true;
+      expect(updateApplicationStub.firstCall.args[0]).to.deep.include({ "intro.introduction": "Updated introduction text" });
+      expect(updateApplicationStub.firstCall.args[1]).to.equal(mockApplicationId);
+      expect(updateApplicationStub.firstCall.args[2]).to.equal(mockUserId);
+
+      expect(addLogStub.calledOnce).to.be.true;
+      expect(addLogStub.firstCall.args[1]).to.deep.include({ applicationId: mockApplicationId, userId: mockUserId, username: mockUsername });
+
+      expect(jsonSpy.calledOnce).to.be.true;
+      expect(jsonSpy.firstCall.args[0].message).to.equal("Application updated successfully!");
+    });
+
+    it("should build payload with professional and intro fields correctly", async () => {
+      req.body = {
+        professional: { institution: "MIT", skills: "React, Node" },
+        whyRds: "one ".repeat(100).trim(),
+      };
+      updateApplicationStub.resolves({ status: APPLICATION_STATUS.success });
+
+      await applicationsController.updateApplication(req as CustomRequest, res as CustomResponse);
+
+      const payload = updateApplicationStub.firstCall.args[0];
+      expect(payload).to.have.property("professional.institution", "MIT");
+      expect(payload).to.have.property("professional.skills", "React, Node");
+      expect(payload).to.have.property("intro.whyRds");
+      expect(jsonSpy.calledOnce).to.be.true;
+    });
+  });
+
+  describe("Error cases", () => {
+    it("should return 404 when application is not found", async () => {
+      updateApplicationStub.resolves({ status: APPLICATION_STATUS.notFound });
+
+      await applicationsController.updateApplication(req as CustomRequest, res as CustomResponse);
+
+      expect(boomNotFound.calledOnce).to.be.true;
+      expect(boomNotFound.firstCall.args[0]).to.equal("Application not found");
+      expect(addLogStub.called).to.be.false;
+      expect(jsonSpy.called).to.be.false;
+    });
+
+    it("should return 401 when user is not the owner", async () => {
+      updateApplicationStub.resolves({ status: APPLICATION_STATUS.unauthorized });
+
+      await applicationsController.updateApplication(req as CustomRequest, res as CustomResponse);
+
+      expect(boomUnauthorized.calledOnce).to.be.true;
+      expect(boomUnauthorized.firstCall.args[0]).to.equal("You are not authorized to edit this application");
+      expect(addLogStub.called).to.be.false;
+      expect(jsonSpy.called).to.be.false;
+    });
+
+    it("should return 409 when edit is attempted within 24 hours", async () => {
+      updateApplicationStub.resolves({ status: APPLICATION_STATUS.tooSoon });
+
+      await applicationsController.updateApplication(req as CustomRequest, res as CustomResponse);
+
+      expect(boomConflict.calledOnce).to.be.true;
+      expect(boomConflict.firstCall.args[0]).to.equal(APPLICATION_ERROR_MESSAGES.EDIT_TOO_SOON);
+      expect(addLogStub.called).to.be.false;
+      expect(jsonSpy.called).to.be.false;
+    });
+
+    it("should return 500 when model returns unexpected status", async () => {
+      updateApplicationStub.resolves({ status: "unknown" });
+
+      await applicationsController.updateApplication(req as CustomRequest, res as CustomResponse);
+
+      expect(boomBadImplementation.calledOnce).to.be.true;
+      expect(jsonSpy.called).to.be.false;
+    });
+
+    it("should return 500 when model throws", async () => {
+      updateApplicationStub.rejects(new Error("DB error"));
+
+      await applicationsController.updateApplication(req as CustomRequest, res as CustomResponse);
+
+      expect(boomBadImplementation.calledOnce).to.be.true;
+      expect(jsonSpy.called).to.be.false;
+    });
+  });
+});
 
 describe("nudgeApplication", () => {
   let req: Partial<CustomRequest>;