test: add coverage tests to reach 65% total coverage

Add 16 test files across 4 packages covering previously untested
handler paths: guild board operations, house/warehouse management,
tower/tenrouirai progress, diva schedule, festa info, cafe duration,
API error paths, sign server responses, and byteframe boundaries.

server/api/dbutils_coverage_test.go

@@ -0,0 +1,314 @@
+package api
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"testing"
+	"time"
+)
+
+func TestCreateNewUser_Success(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		userRepo: &mockAPIUserRepo{
+			registerID:     1,
+			registerRights: 30,
+		},
+	}
+
+	uid, rights, err := server.createNewUser(context.Background(), "testuser", "password123")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if uid != 1 {
+		t.Errorf("uid = %d, want 1", uid)
+	}
+	if rights != 30 {
+		t.Errorf("rights = %d, want 30", rights)
+	}
+}
+
+func TestCreateLoginToken_Success(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			createTokenID: 42,
+		},
+	}
+
+	tid, token, err := server.createLoginToken(context.Background(), 1)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if tid != 42 {
+		t.Errorf("tid = %d, want 42", tid)
+	}
+	if token == "" {
+		t.Error("token should not be empty")
+	}
+}
+
+func TestCreateLoginToken_Error(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			createTokenErr: errors.New("db error"),
+		},
+	}
+
+	_, _, err := server.createLoginToken(context.Background(), 1)
+	if err == nil {
+		t.Error("expected error")
+	}
+}
+
+func TestUserIDFromToken_Valid(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			userID: 42,
+		},
+	}
+
+	uid, err := server.userIDFromToken(context.Background(), "valid-token")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if uid != 42 {
+		t.Errorf("uid = %d, want 42", uid)
+	}
+}
+
+func TestUserIDFromToken_ErrNoRows(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			userIDErr: sql.ErrNoRows,
+		},
+	}
+
+	_, err := server.userIDFromToken(context.Background(), "invalid-token")
+	if err == nil {
+		t.Error("expected error for invalid token")
+	}
+}
+
+func TestUserIDFromToken_OtherError(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			userIDErr: errors.New("connection refused"),
+		},
+	}
+
+	_, err := server.userIDFromToken(context.Background(), "some-token")
+	if err == nil {
+		t.Error("expected error")
+	}
+}
+
+func TestCreateCharacter_ExistingNew(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		charRepo: &mockAPICharacterRepo{
+			newCharacter: Character{ID: 5, Name: "NewChar"},
+		},
+	}
+
+	char, err := server.createCharacter(context.Background(), 1)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if char.ID != 5 {
+		t.Errorf("char ID = %d, want 5", char.ID)
+	}
+}
+
+func TestCreateCharacter_CreateNew(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		charRepo: &mockAPICharacterRepo{
+			newCharacterErr: sql.ErrNoRows,
+			countForUser:    2,
+			createChar:      Character{ID: 10, Name: "Created"},
+		},
+	}
+
+	char, err := server.createCharacter(context.Background(), 1)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if char.ID != 10 {
+		t.Errorf("char ID = %d, want 10", char.ID)
+	}
+}
+
+func TestCreateCharacter_MaxExceeded(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		charRepo: &mockAPICharacterRepo{
+			newCharacterErr: sql.ErrNoRows,
+			countForUser:    16,
+			createCharErr:   errors.New("cannot have more than 16 characters"),
+		},
+	}
+
+	_, err := server.createCharacter(context.Background(), 1)
+	if err == nil {
+		t.Error("expected error for max chars exceeded")
+	}
+}
+
+func TestDeleteCharacter_IsNewHardDelete(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	charRepo := &mockAPICharacterRepo{isNewResult: true}
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		charRepo:    charRepo,
+	}
+
+	err := server.deleteCharacter(context.Background(), 1, 5)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestDeleteCharacter_FinalizedSoftDelete(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	charRepo := &mockAPICharacterRepo{isNewResult: false}
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		charRepo:    charRepo,
+	}
+
+	err := server.deleteCharacter(context.Background(), 1, 5)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestGetCharactersForUser(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		charRepo: &mockAPICharacterRepo{
+			characters: []Character{
+				{ID: 1, Name: "Char1"},
+				{ID: 2, Name: "Char2"},
+			},
+		},
+	}
+
+	chars, err := server.getCharactersForUser(context.Background(), 1)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(chars) != 2 {
+		t.Errorf("count = %d, want 2", len(chars))
+	}
+}
+
+func TestExportSave(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		charRepo: &mockAPICharacterRepo{
+			exportResult: map[string]interface{}{"name": "Hunter"},
+		},
+	}
+
+	result, err := server.exportSave(context.Background(), 1, 5)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if result["name"] != "Hunter" {
+		t.Errorf("name = %v, want Hunter", result["name"])
+	}
+}
+
+func TestGetReturnExpiry_RecentLogin(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		userRepo: &mockAPIUserRepo{
+			lastLogin:    time.Now(),
+			returnExpiry: time.Now().Add(time.Hour * 24 * 15),
+		},
+	}
+
+	expiry := server.getReturnExpiry(1)
+	if expiry.IsZero() {
+		t.Error("expiry should not be zero")
+	}
+}
+
+func TestGetReturnExpiry_OldLogin(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		userRepo: &mockAPIUserRepo{
+			lastLogin:    time.Now().Add(-time.Hour * 24 * 100), // 100 days ago
+			returnExpiry: time.Now().Add(time.Hour * 24 * 30),
+		},
+	}
+
+	expiry := server.getReturnExpiry(1)
+	if expiry.Before(time.Now()) {
+		t.Error("expiry should be in the future for returning player")
+	}
+}

server/api/endpoints_coverage_test.go

@@ -0,0 +1,387 @@
+package api
+
+import (
+	"bytes"
+	"database/sql"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	cfg "erupe-ce/config"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+func TestVersionEndpoint(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+	c.ClientMode = "ZZ"
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+	}
+
+	req := httptest.NewRequest("GET", "/version", nil)
+	rec := httptest.NewRecorder()
+	server.Version(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Errorf("status = %d, want 200", rec.Code)
+	}
+
+	var resp VersionResponse
+	if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode error: %v", err)
+	}
+	if resp.ClientMode != "ZZ" {
+		t.Errorf("ClientMode = %q, want ZZ", resp.ClientMode)
+	}
+	if resp.Name != "Erupe-CE" {
+		t.Errorf("Name = %q, want Erupe-CE", resp.Name)
+	}
+}
+
+func TestLandingPageEndpoint_Enabled(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+	c.API.LandingPage = cfg.LandingPage{
+		Enabled: true,
+		Title:   "Test Server",
+		Content: "<p>Welcome</p>",
+	}
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+	}
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rec := httptest.NewRecorder()
+	server.LandingPage(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Errorf("status = %d, want 200", rec.Code)
+	}
+	if ct := rec.Header().Get("Content-Type"); ct != "text/html; charset=utf-8" {
+		t.Errorf("Content-Type = %q", ct)
+	}
+}
+
+func TestLandingPageEndpoint_Disabled(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+	c.API.LandingPage = cfg.LandingPage{Enabled: false}
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+	}
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rec := httptest.NewRecorder()
+	server.LandingPage(rec, req)
+
+	if rec.Code != http.StatusNotFound {
+		t.Errorf("status = %d, want 404", rec.Code)
+	}
+}
+
+func TestLoginEndpoint_Success(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	hash, _ := bcrypt.GenerateFromPassword([]byte("password123"), bcrypt.MinCost)
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		userRepo: &mockAPIUserRepo{
+			credentialsID:       1,
+			credentialsPassword: string(hash),
+			credentialsRights:   30,
+			lastLogin:           time.Now(),
+			returnExpiry:        time.Now().Add(time.Hour * 24 * 30),
+		},
+		sessionRepo: &mockAPISessionRepo{
+			createTokenID: 42,
+		},
+		charRepo: &mockAPICharacterRepo{
+			characters: []Character{
+				{ID: 1, Name: "TestHunter", HR: 100},
+			},
+		},
+	}
+
+	body, _ := json.Marshal(map[string]string{
+		"username": "testuser",
+		"password": "password123",
+	})
+	req := httptest.NewRequest("POST", "/login", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.Login(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Errorf("status = %d, want 200", rec.Code)
+	}
+
+	var resp AuthData
+	if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode error: %v", err)
+	}
+	if resp.User.TokenID != 42 {
+		t.Errorf("TokenID = %d, want 42", resp.User.TokenID)
+	}
+	if len(resp.Characters) != 1 {
+		t.Errorf("Characters count = %d, want 1", len(resp.Characters))
+	}
+}
+
+func TestLoginEndpoint_UsernameNotFound(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		userRepo: &mockAPIUserRepo{
+			credentialsErr: sql.ErrNoRows,
+		},
+	}
+
+	body, _ := json.Marshal(map[string]string{
+		"username": "nonexistent",
+		"password": "password123",
+	})
+	req := httptest.NewRequest("POST", "/login", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.Login(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want 400", rec.Code)
+	}
+	if rec.Body.String() != "username-error" {
+		t.Errorf("body = %q, want username-error", rec.Body.String())
+	}
+}
+
+func TestLoginEndpoint_WrongPassword(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	hash, _ := bcrypt.GenerateFromPassword([]byte("correct"), bcrypt.MinCost)
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		userRepo: &mockAPIUserRepo{
+			credentialsID:       1,
+			credentialsPassword: string(hash),
+			lastLogin:           time.Now(),
+			returnExpiry:        time.Now().Add(time.Hour * 24 * 30),
+		},
+	}
+
+	body, _ := json.Marshal(map[string]string{
+		"username": "testuser",
+		"password": "wrongpassword",
+	})
+	req := httptest.NewRequest("POST", "/login", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.Login(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want 400", rec.Code)
+	}
+	if rec.Body.String() != "password-error" {
+		t.Errorf("body = %q, want password-error", rec.Body.String())
+	}
+}
+
+func TestRegisterEndpoint_Success(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		userRepo: &mockAPIUserRepo{
+			registerID:     1,
+			registerRights: 30,
+			lastLogin:      time.Now(),
+			returnExpiry:   time.Now().Add(time.Hour * 24 * 30),
+		},
+		sessionRepo: &mockAPISessionRepo{
+			createTokenID: 10,
+		},
+		charRepo: &mockAPICharacterRepo{},
+	}
+
+	body, _ := json.Marshal(map[string]string{
+		"username": "newuser",
+		"password": "password123",
+	})
+	req := httptest.NewRequest("POST", "/register", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.Register(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Errorf("status = %d, want 200", rec.Code)
+	}
+
+	var resp AuthData
+	if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode error: %v", err)
+	}
+	if resp.User.Rights != 30 {
+		t.Errorf("Rights = %d, want 30", resp.User.Rights)
+	}
+}
+
+func TestCreateCharacterEndpoint_Success(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			userID: 1,
+		},
+		charRepo: &mockAPICharacterRepo{
+			newCharacter: Character{ID: 5, Name: "NewChar"},
+		},
+	}
+
+	body, _ := json.Marshal(map[string]string{
+		"token": "valid-token",
+	})
+	req := httptest.NewRequest("POST", "/character/create", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.CreateCharacter(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Errorf("status = %d, want 200", rec.Code)
+	}
+}
+
+func TestCreateCharacterEndpoint_InvalidToken(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			userIDErr: sql.ErrNoRows,
+		},
+	}
+
+	body, _ := json.Marshal(map[string]string{
+		"token": "invalid",
+	})
+	req := httptest.NewRequest("POST", "/character/create", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.CreateCharacter(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Errorf("status = %d, want 401", rec.Code)
+	}
+}
+
+func TestDeleteCharacterEndpoint_NewChar(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			userID: 1,
+		},
+		charRepo: &mockAPICharacterRepo{
+			isNewResult: true,
+		},
+	}
+
+	body, _ := json.Marshal(map[string]interface{}{
+		"token":  "valid-token",
+		"charId": 5,
+	})
+	req := httptest.NewRequest("POST", "/character/delete", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.DeleteCharacter(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Errorf("status = %d, want 200", rec.Code)
+	}
+}
+
+func TestDeleteCharacterEndpoint_FinalizedChar(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			userID: 1,
+		},
+		charRepo: &mockAPICharacterRepo{
+			isNewResult: false,
+		},
+	}
+
+	body, _ := json.Marshal(map[string]interface{}{
+		"token":  "valid-token",
+		"charId": 5,
+	})
+	req := httptest.NewRequest("POST", "/character/delete", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.DeleteCharacter(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Errorf("status = %d, want 200", rec.Code)
+	}
+}
+
+func TestExportSaveEndpoint_Success(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			userID: 1,
+		},
+		charRepo: &mockAPICharacterRepo{
+			exportResult: map[string]interface{}{
+				"name": "TestHunter",
+				"hr":   100,
+			},
+		},
+	}
+
+	body, _ := json.Marshal(map[string]interface{}{
+		"token":  "valid-token",
+		"charId": 1,
+	})
+	req := httptest.NewRequest("POST", "/character/export", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.ExportSave(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Errorf("status = %d, want 200", rec.Code)
+	}
+
+	var resp ExportData
+	if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode error: %v", err)
+	}
+	if resp.Character["name"] != "TestHunter" {
+		t.Errorf("character name = %v, want TestHunter", resp.Character["name"])
+	}
+}

server/api/endpoints_extra_coverage_test.go

@@ -0,0 +1,223 @@
+package api
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestHealthEndpoint_NilDB(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		db:          nil,
+	}
+
+	req := httptest.NewRequest("GET", "/health", nil)
+	rec := httptest.NewRecorder()
+	server.Health(rec, req)
+
+	if rec.Code != http.StatusServiceUnavailable {
+		t.Errorf("status = %d, want 503", rec.Code)
+	}
+	var resp map[string]string
+	if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode error: %v", err)
+	}
+	if resp["status"] != "unhealthy" {
+		t.Errorf("status = %q, want unhealthy", resp["status"])
+	}
+}
+
+func TestRegisterEndpoint_EmptyPassword(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+	}
+
+	body, _ := json.Marshal(map[string]string{
+		"username": "testuser",
+		"password": "",
+	})
+	req := httptest.NewRequest("POST", "/register", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.Register(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want 400", rec.Code)
+	}
+}
+
+func TestRegisterEndpoint_InvalidJSON(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+	}
+
+	req := httptest.NewRequest("POST", "/register", bytes.NewReader([]byte("not json")))
+	rec := httptest.NewRecorder()
+	server.Register(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want 400", rec.Code)
+	}
+}
+
+func TestLoginEndpoint_InvalidJSON(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+	}
+
+	req := httptest.NewRequest("POST", "/login", bytes.NewReader([]byte("not json")))
+	rec := httptest.NewRecorder()
+	server.Login(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want 400", rec.Code)
+	}
+}
+
+func TestCreateCharacterEndpoint_InvalidJSON(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+	}
+
+	req := httptest.NewRequest("POST", "/character/create", bytes.NewReader([]byte("bad")))
+	rec := httptest.NewRecorder()
+	server.CreateCharacter(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want 400", rec.Code)
+	}
+}
+
+func TestDeleteCharacterEndpoint_InvalidJSON(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+	}
+
+	req := httptest.NewRequest("POST", "/character/delete", bytes.NewReader([]byte("bad")))
+	rec := httptest.NewRecorder()
+	server.DeleteCharacter(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want 400", rec.Code)
+	}
+}
+
+func TestExportSaveEndpoint_InvalidJSON(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+	}
+
+	req := httptest.NewRequest("POST", "/character/export", bytes.NewReader([]byte("bad")))
+	rec := httptest.NewRecorder()
+	server.ExportSave(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Errorf("status = %d, want 400", rec.Code)
+	}
+}
+
+func TestRegisterEndpoint_CreateUserError(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		userRepo: &mockAPIUserRepo{
+			registerErr: errors.New("db connection failed"),
+		},
+	}
+
+	body, _ := json.Marshal(map[string]string{
+		"username": "testuser",
+		"password": "password123",
+	})
+	req := httptest.NewRequest("POST", "/register", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.Register(rec, req)
+
+	if rec.Code != http.StatusInternalServerError {
+		t.Errorf("status = %d, want 500", rec.Code)
+	}
+}
+
+func TestDeleteCharacterEndpoint_InvalidToken(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			userIDErr: errors.New("bad token"),
+		},
+	}
+
+	body, _ := json.Marshal(map[string]interface{}{
+		"token":  "invalid",
+		"charId": 5,
+	})
+	req := httptest.NewRequest("POST", "/character/delete", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.DeleteCharacter(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Errorf("status = %d, want 401", rec.Code)
+	}
+}
+
+func TestExportSaveEndpoint_InvalidToken(t *testing.T) {
+	logger := NewTestLogger(t)
+	c := NewTestConfig()
+
+	server := &APIServer{
+		logger:      logger,
+		erupeConfig: c,
+		sessionRepo: &mockAPISessionRepo{
+			userIDErr: errors.New("bad token"),
+		},
+	}
+
+	body, _ := json.Marshal(map[string]interface{}{
+		"token":  "invalid",
+		"charId": 1,
+	})
+	req := httptest.NewRequest("POST", "/character/export", bytes.NewReader(body))
+	rec := httptest.NewRecorder()
+	server.ExportSave(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Errorf("status = %d, want 401", rec.Code)
+	}
+}