--- title: 'Testing for Vibe Coders: From Zero to Production Confidence' description: >- Build a testing strategy that prevents production disasters without turning development into a slog. Learn which tests matter, which tools to use, and how to catch bugs before your users do. author: prashant date: '2025-08-16T10:00' tags: - vibe-coding categories: - developers --- Testing feels like homework until your users find the bugs first. This guide shows you how to build a testing strategy that actually prevents production disasters without turning development into a slog. You will learn which tests matter, which tools are simple enough to stick with, and how to catch the bugs that embarrass you in front of users. Supabase helps because it is just Postgres at the core with an integrated suite of tools. You can run a full local stack, write tests against real Postgres schema and policies, and promote changes the same way you ship code. Start simple and layer more as your app grows. ## Tests that actually matter Most developers write the wrong tests first. Unit tests feel productive because they are fast to write and always pass. But they miss the bugs that actually break your app in production. Integration tests do the heavy lifting. They check that your database, API routes, auth, and third-party calls work together. These catch the "works on my machine" issues that unit tests miss entirely. Start with integration tests on your core features. Add unit tests only for complex logic like price calculations, date handling, and data transforms where bugs are expensive. Save end-to-end tests for critical user flows like login, checkout, and content creation. Visual tests are optional unless pixel-perfect UI is your main value proposition. This order catches real-world bugs without turning testing into a full-time job. You want tests that fail when something is actually broken, not tests that fail because you refactored a function name. ## Pick tools and stick with them Tool-hopping burns more hours than imperfect tools ever will. Pick one tool per category and move on. For JavaScript and TypeScript projects, use Jest or Vitest for unit and integration tests. For end-to-end testing, Playwright handles modern web apps better than Selenium ever did. The secret weapon is Supabase local development. Running `supabase start` gives you a real Postgres database, auth system, and generated APIs on your machine. Your tests run against the same schema, Row Level Security policies, and API endpoints that your production app uses. No mocking, no fake data, no surprises when you deploy. If you are building Python services, pytest works the same way. For testing SQL policies and functions directly, pgTAP lets you write tests in SQL, but save that for later when your database logic gets complex. ## Start with a minimal setup Prove your testing pipeline works before writing complex tests. Add these scripts to your package.json: ```json { "scripts": { "test": "vitest run", "test:watch": "vitest", "test:e2e": "playwright test" } } ``` Write one simple test to verify everything works: ```tsx import { expect, test } from 'vitest' import { formatPrice } from '../src/lib/format' test('formats cents into dollars', () => { expect(formatPrice(1999)).toBe('$19.99') expect(formatPrice(0)).toBe('$0.00') }) ``` If this passes in watch mode and in continuous integration, your test harness is solid. Now you can point tests at your real application stack. ## Test against your real database Create a test client that connects to your local Supabase instance. Keep your service role keys secure and use the anonymous key for user-level operations: ```tsx import { createClient } from '@supabase/supabase-js' export const supabase = createClient( process.env.SUPABASE_URL || 'http://localhost:54321', process.env.SUPABASE_ANON_KEY || 'your-local-anon-key' ) ``` Write integration tests that verify your most critical systems work together. This test confirms that Supabase Auth, database triggers, and Row Level Security all work correctly: ```tsx import { beforeEach, expect, test } from 'vitest' import { supabase } from './setup' beforeEach(async () => { await supabase.from('profiles').delete().neq('id', '') }) test('sign up creates a profile row via trigger', async () => { const email = `test-${Date.now()}@example.com` const { data, error } = await supabase.auth.signUp({ email, password: 'Pass1234!', }) expect(error).toBeNull() expect(data.user?.email).toBe(email) const { data: profile } = await supabase .from('profiles') .select('*') .eq('id', data.user?.id) .single() expect(profile).toBeTruthy() }) ``` One test covers authentication, database triggers, and data access policies. That is efficient testing. ## Focus on expensive failures first Write tests for the areas where bugs cost you the most money or reputation. Authentication and authorization failures expose user data or lock people out of their accounts. Money calculations that are wrong by even a penny destroy trust. Data validation bugs let malicious users break your application. Test that logged-out users cannot access protected endpoints. Verify that users can only see their own data under Row Level Security. Confirm that session refresh works correctly. For business logic, verify that totals and taxes calculate correctly, discounts do not create negative prices, and webhook handlers are idempotent so duplicate deliveries do not double-charge customers. Check that email addresses, dates, and user IDs are validated properly. Ensure that dangerous input gets rejected on the server side, not just in the browser. Test your critical user flows like signup, onboarding, checkout, content creation, and file uploads. A single test in these areas prevents entire categories of production incidents. Focus your testing time where failure hurts the most. ## Test Supabase-specific features Row Level Security is easy to forget during development, and forgetting it leaves your database wide open. Write tests that prove users cannot see each other's data: ```tsx test('users cannot see each other's posts', async () => { const u1 = await supabase.auth.signUp({ email: 'u1@test.com', password: 'pass' }) const u2 = await supabase.auth.signUp({ email: 'u2@test.com', password: 'pass' }) await supabase.auth.signInWithPassword({ email: 'u1@test.com', password: 'pass' }) const { data: post } = await supabase .from('posts') .insert({ title: 'secret' }) .select() .single() await supabase.auth.signInWithPassword({ email: 'u2@test.com', password: 'pass' }) const { data: rows } = await supabase .from('posts') .select() .eq('id', post!.id) expect(rows?.length ?? 0).toBe(0) }) ``` Test database triggers that create profile rows after user signup or update timestamps on data changes. If your app relies on these triggers, make sure they fire correctly. For file storage, test that uploads work but unauthorized users cannot read or delete files: ```tsx test('upload to avatars bucket works', async () => { const file = new File(['test'], 'avatar.jpg', { type: 'image/jpeg' }) const { data, error } = await supabase.storage .from('avatars') .upload(`avatar-${Date.now()}.jpg`, file) expect(error).toBeNull() expect(data?.path).toBeTruthy() }) ``` If you use Supabase Realtime for collaborative features, write a test that subscribes to table changes and verifies that events arrive after you insert data. ## Generate test data that looks real Your first few tests work fine with hardcoded values like `test-${Date.now()}@example.com`. But eventually you need to test pagination, search results, or how your app handles varied user data. Writing 50 manual insert statements gets old fast. Start with simple helper functions that create test records: ```tsx export async function createTestUser(overrides = {}) { const email = `user-${Date.now()}@example.com` const { data, error } = await supabase.auth.signUp({ email, password: 'TestPass123!', ...overrides, }) if (error) throw error return data.user } export async function createTestPost(userId: string, overrides = {}) { const { data, error } = await supabase .from('posts') .insert({ user_id: userId, title: 'Test post', content: 'Test content', ...overrides, }) .select() .single() if (error) throw error return data } ``` Now your tests are cleaner: ```tsx test('search returns relevant posts', async () => { const user = await createTestUser() await createTestPost(user.id, { title: 'JavaScript tips' }) await createTestPost(user.id, { title: 'Python tricks' }) const { data } = await supabase.from('posts').select().textSearch('title', 'JavaScript') expect(data).toHaveLength(1) }) ``` When you need realistic variety, use Faker.js: ```bash npm install @faker-js/faker --save-dev ``` ```tsx import { faker } from '@faker-js/faker' export async function createTestUser(overrides = {}) { const { data, error } = await supabase.auth.signUp({ email: faker.internet.email(), password: 'TestPass123!', ...overrides, }) if (error) throw error await supabase .from('profiles') .update({ display_name: faker.person.fullName(), bio: faker.lorem.paragraph(), avatar_url: faker.image.avatar(), }) .eq('id', data.user.id) return data.user } ``` For tests that need volume, write a seed script that populates your database with realistic data: ```tsx // tests/seed.ts import { faker } from '@faker-js/faker' import { createClient } from '@supabase/supabase-js' const supabase = createClient('http://localhost:54321', process.env.SUPABASE_SERVICE_ROLE_KEY) async function seed() { // Create 10 users with posts for (let i = 0; i < 10; i++) { const { data: user } = await supabase.auth.admin.createUser({ email: faker.internet.email(), password: 'TestPass123!', email_confirm: true, }) // Each user gets 3-7 posts const postCount = faker.number.int({ min: 3, max: 7 }) for (let j = 0; j < postCount; j++) { await supabase.from('posts').insert({ user_id: user.user.id, title: faker.lorem.sentence(), content: faker.lorem.paragraphs(3), published_at: faker.date.recent({ days: 30 }), }) } } console.log('Seed complete') } seed() ``` Run it with `npx tsx tests/seed.ts` when you need fresh data. Better yet, add it to your database reset flow: ```bash supabase db reset && npx tsx tests/seed.ts ``` This gives you a baseline dataset that looks like real usage. Your pagination tests work correctly, search returns varied results, and you catch UI bugs that only show up with different name lengths or content volumes. Keep your seed data simple at first. Add complexity only when you actually need to test against it. Ten users with a few posts each covers most testing scenarios. You can always generate more data for specific performance tests. ## Keep authentication tests simple OAuth testing (for Login with Google, Login with Apple, etc.) on localhost is painful, so mix your approaches. Mock external provider calls in unit tests to verify your callback logic works. Use Supabase Admin APIs in integration tests to create confirmed users quickly without going through the full signup flow. Use Playwright for one or two complete OAuth flows with a dedicated test application and saved login state. This gives you fast feedback during development and confidence that production flows work correctly. ## Make async tests reliable Flaky tests destroy team confidence in your test suite. Always await promises in your tests and explicitly test error conditions. Use fake timers instead of sleeping to make time-dependent tests deterministic. Reset your database state between tests so they do not interfere with each other. Retry network calls in tests the same way your production code does. If a test fails only in continuous integration, capture logs and debugging artifacts. Fix flaky tests immediately or delete them. A reliable test suite that catches real bugs is better than a comprehensive suite that cries wolf. ## Run tests in continuous integration Set up GitHub Actions to run your tests on every pull request and merge to main. Start Supabase locally in CI with `supabase start` and point your tests at the local instance. Split fast unit and integration tests from slower end-to-end tests into separate jobs. Gate your deployments on fast tests passing, but let end-to-end tests run in parallel. Keep your CI builds fast by running tests in parallel and caching dependencies. Developers stop running tests if they take too long. ## Test-driven development with AI coding assistants Testing becomes even more important when you are using AI to write code quickly. Large language models are creative assistants, but they make subtle mistakes. A test suite turns your AI pair programmer from a creative helper into a reliable co-pilot. The workflow is simple. Write or update a test that describes what you want. Ask the AI to implement the feature. Run the tests and feed any failures back to the model. The test is your contract. If the AI goes off track, the test catches it immediately. This works especially well for API contract tests that verify status codes and response shapes, Row Level Security policies that prevent users from seeing each other's data, money calculations that prevent rounding errors, and webhook handlers that need to be idempotent. Done correctly, tests make AI-assisted development faster and more reliable. You can iterate quickly without accidentally breaking existing functionality. ## Build in a weekend, test forever If you have been coding your project for a while and haven't started to add tests, don't worry. It's not too late. Here is how to retrofit testing onto your existing application and maintain good habits going forward. ### Add tests to your existing project Start by installing your testing framework and setting up Supabase local development: ```bash npm install vitest @supabase/supabase-js --save-dev supabase init supabase link --project-ref YOUR_PROJECT_ID supabase db pull supabase start ``` This captures your existing database schema as migration files and starts a local Supabase instance that matches your production setup. Create a simple test configuration in `vitest.config.js`: ```jsx import { defineConfig } from 'vitest/config' export default defineConfig({ test: { environment: 'node', setupFiles: ['./tests/setup.ts'], }, }) ``` Write your first integration test for the most critical feature in your app. If it is a social app, test that users can create posts and see their own posts but not other users' posts. If it is an e-commerce app, test that the checkout calculation is correct. If it is a content management system, test that publishing and unpublishing work properly. Pick the one feature that would hurt the most if it broke, and write a test for it first. This gives you immediate confidence that your core functionality works correctly. ### Test your authentication system Most weekend projects have basic authentication but skip Row Level Security. Write a test that creates two users, has one create some data, and verifies the other cannot see it: ```tsx import { createClient } from '@supabase/supabase-js' const supabase = createClient('http://localhost:54321', process.env.SUPABASE_ANON_KEY) test('users cannot access each other data', async () => { // Create two test users const user1 = await supabase.auth.signUp({ email: 'user1@test.com', password: 'password123', }) const user2 = await supabase.auth.signUp({ email: 'user2@test.com', password: 'password123', }) // User 1 creates some data await supabase.auth.signInWithPassword({ email: 'user1@test.com', password: 'password123', }) const { data: created } = await supabase .from('posts') .insert({ title: 'Private post' }) .select() .single() // User 2 tries to access it await supabase.auth.signInWithPassword({ email: 'user2@test.com', password: 'password123', }) const { data: accessed } = await supabase.from('posts').select().eq('id', created.id) expect(accessed).toHaveLength(0) }) ``` If this test fails, you need to add Row Level Security policies to your tables. If it passes, your data is properly isolated between users. ### Add tests as you build new features From now on, write a test before you add each new feature. This prevents regressions and gives you confidence that changes work correctly. The pattern is simple: describe what the feature should do in a test, implement the feature, and verify the test passes. For a new feature like user profiles, write the test first: ```tsx test('users can update their own profile', async () => { const { data: user } = await supabase.auth.signUp({ email: 'profile@test.com', password: 'password123', }) const { error } = await supabase .from('profiles') .update({ display_name: 'New Name' }) .eq('id', user.user.id) expect(error).toBeNull() const { data: profile } = await supabase .from('profiles') .select('display_name') .eq('id', user.user.id) .single() expect(profile.display_name).toBe('New Name') }) ``` Then implement the feature and verify the test passes. This workflow catches bugs before they reach users and documents how your features are supposed to work. ### Set up continuous integration Add a GitHub Actions workflow that runs your tests on every push: ```yaml name: Tests on: [push, pull_request] jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '18' - uses: supabase/setup-cli@v1 - name: Install dependencies run: npm ci - name: Start Supabase run: supabase start - name: Run tests run: npm test ``` This ensures your tests run in a clean environment and catch issues before they reach production. Tests that pass locally but fail in CI usually indicate missing environment setup or flaky timing assumptions. ### Maintain good testing habits Make testing part of your daily workflow. Run tests in watch mode while developing so you get immediate feedback when something breaks. Reset your local database regularly with `supabase db reset` to ensure your tests work against a clean schema. When you fix a bug, write a test that would have caught it. This prevents the same bug from coming back and gradually improves your test coverage in the most important areas. Review your tests monthly and delete ones that no longer add value. Tests that are hard to maintain or frequently break for trivial reasons hurt more than they help. Keep your test suite focused on the functionality that matters most to your users. The goal is not perfect test coverage but reliable protection against the bugs that would hurt your business. A small suite of well-targeted tests beats a comprehensive suite that breaks constantly and slows down development. ## Your testing workflow Make these habits automatic. During daily development, run tests in watch mode, reset your local database when things get messy, and write a test when you fix any bug. For each pull request, ensure your tests pass locally, run a quick end-to-end check on critical flows, and fix any flaky tests immediately. Monthly, review your test suite and remove obsolete tests, refresh your seed data to match current usage patterns, and update testing dependencies to stay current with security patches. ## You do not need perfect coverage You need tests in the right places that run against your real schema and integrate into your daily development flow. Supabase makes this straightforward because you can run the entire stack locally, test your actual Postgres policies and triggers, and deploy the same migrations you test with. Start with integration tests for your core features, add a few end-to-end tests for critical user flows, protect your authentication and business logic, and automate the rest. Your users will notice fewer bugs, and you will ship new features with confidence instead of anxiety.