@faststore/core 4.3.0-dev.6 → 4.3.0-dev.8

package/test/pages/api/unlock.test.ts

@@ -0,0 +1,277 @@
+import type { NextApiRequest, NextApiResponse } from 'next'
+import { beforeEach, describe, expect, it, vi, type Mock } from 'vitest'
+
+import type { UnlockResponse } from '../../../src/utils/unlockResponse'
+
+vi.mock('discovery.config', () => ({
+  __esModule: true,
+  default: { api: { storeId: 'test-store' } },
+}))
+
+vi.mock('../../../src/server/password-protection/webops-api', () => ({
+  sessionUrl: () =>
+    new URL('https://faststore.vtex.com/api/v1/password-protection/session'),
+  passwordProtectionTimeouts: { defaultMs: 10_000 },
+}))
+
+function createReqRes(overrides: Partial<NextApiRequest> = {}): {
+  req: NextApiRequest
+  res: NextApiResponse<UnlockResponse> & {
+    status: Mock
+    json: Mock
+    end: Mock
+    setHeader: Mock
+    _getStatus: () => number
+  }
+} {
+  const res: Record<string, unknown> = {
+    _status: 0,
+    status: vi.fn().mockImplementation(function (
+      this: Record<string, unknown>,
+      code: number
+    ) {
+      this._status = code
+      return this
+    }),
+    json: vi.fn(),
+    end: vi.fn(),
+    setHeader: vi.fn(),
+    _getStatus() {
+      return (this as Record<string, unknown>)._status
+    },
+  }
+
+  return {
+    req: {
+      method: 'POST',
+      body: { password: 'secret' },
+      query: {},
+      ...overrides,
+    } as unknown as NextApiRequest,
+    res: res as unknown as ReturnType<typeof createReqRes>['res'],
+  }
+}
+
+async function getHandler() {
+  const mod = await import(
+    '../../../src/pages/api/fs/password-protection/unlock'
+  )
+  return mod.default
+}
+
+describe('/api/fs/password-protection/unlock', () => {
+  beforeEach(() => {
+    vi.resetModules()
+    global.fetch = vi.fn()
+  })
+
+  it('returns 405 for non-POST requests', async () => {
+    const handler = await getHandler()
+    const { req, res } = createReqRes({ method: 'GET' })
+
+    await handler(req, res)
+
+    expect(res.status).toHaveBeenCalledWith(405)
+    expect(res.end).toHaveBeenCalled()
+  })
+
+  it('returns 400 when password is missing', async () => {
+    const handler = await getHandler()
+    const { req, res } = createReqRes({ body: {} })
+
+    await handler(req, res)
+
+    expect(res.status).toHaveBeenCalledWith(400)
+    expect(res.json).toHaveBeenCalledWith(
+      expect.objectContaining({ success: false, error: 'Password is required' })
+    )
+  })
+
+  it('returns 400 when request body is missing', async () => {
+    const handler = await getHandler()
+    const { req, res } = createReqRes({ body: undefined })
+
+    await handler(req, res)
+
+    expect(res.status).toHaveBeenCalledWith(400)
+    expect(res.json).toHaveBeenCalledWith(
+      expect.objectContaining({ success: false, error: 'Password is required' })
+    )
+  })
+
+  it('returns 400 when password is not a string', async () => {
+    const handler = await getHandler()
+    const { req, res } = createReqRes({ body: { password: 123 } })
+
+    await handler(req, res)
+
+    expect(res.status).toHaveBeenCalledWith(400)
+  })
+
+  it('returns 401 when WebOps returns 401', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({ ok: false, status: 401 })
+    const handler = await getHandler()
+    const { req, res } = createReqRes()
+
+    await handler(req, res)
+
+    expect(res.status).toHaveBeenCalledWith(401)
+    expect(res.json).toHaveBeenCalledWith(
+      expect.objectContaining({ success: false, error: 'Invalid password' })
+    )
+  })
+
+  it('returns 401 when WebOps returns 403', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({ ok: false, status: 403 })
+    const handler = await getHandler()
+    const { req, res } = createReqRes()
+
+    await handler(req, res)
+
+    expect(res.status).toHaveBeenCalledWith(401)
+  })
+
+  it('returns 503 when WebOps returns a non-ok status other than 401/403', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({ ok: false, status: 502 })
+    const handler = await getHandler()
+    const { req, res } = createReqRes()
+
+    await handler(req, res)
+
+    expect(res.status).toHaveBeenCalledWith(503)
+    expect(res.json).toHaveBeenCalledWith(
+      expect.objectContaining({ success: false })
+    )
+  })
+
+  it('returns 500 when WebOps response body is not a valid payload', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({
+      ok: true,
+      json: async () => 'not-an-object',
+    })
+    const handler = await getHandler()
+    const { req, res } = createReqRes()
+
+    await handler(req, res)
+
+    expect(res.status).toHaveBeenCalledWith(500)
+  })
+
+  it('returns 401 when WebOps responds with valid=false', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({
+      ok: true,
+      json: async () => ({ valid: false }),
+    })
+    const handler = await getHandler()
+    const { req, res } = createReqRes()
+
+    await handler(req, res)
+
+    expect(res.status).toHaveBeenCalledWith(401)
+    expect(res.json).toHaveBeenCalledWith(
+      expect.objectContaining({ success: false, error: 'Invalid password' })
+    )
+  })
+
+  it('returns 401 when WebOps responds valid=true without a token', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({
+      ok: true,
+      json: async () => ({ valid: true }),
+    })
+    const handler = await getHandler()
+    const { req, res } = createReqRes()
+
+    await handler(req, res)
+
+    expect(res.status).toHaveBeenCalledWith(401)
+    expect(res.json).toHaveBeenCalledWith(
+      expect.objectContaining({ success: false, error: 'Invalid password' })
+    )
+  })
+
+  it('sets protection cookie and returns 200 with redirectUrl on success', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({
+      ok: true,
+      json: async () => ({ valid: true, token: 'jwt-abc' }),
+    })
+    const handler = await getHandler()
+    const { req, res } = createReqRes({ query: { returnTo: '/checkout' } })
+
+    await handler(req, res)
+
+    expect(res.setHeader).toHaveBeenCalledWith(
+      'Set-Cookie',
+      expect.arrayContaining([
+        expect.stringContaining('__fs_password_protection=jwt-abc'),
+      ])
+    )
+    expect(res.setHeader).toHaveBeenCalledWith(
+      'Set-Cookie',
+      expect.arrayContaining([expect.stringContaining('HttpOnly')])
+    )
+    expect(res.status).toHaveBeenCalledWith(200)
+    expect(res.json).toHaveBeenCalledWith(
+      expect.objectContaining({ success: true, redirectUrl: '/checkout' })
+    )
+  })
+
+  it('defaults redirectUrl to "/" when returnTo is not provided', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({
+      ok: true,
+      json: async () => ({ valid: true, token: 'jwt-abc' }),
+    })
+    const handler = await getHandler()
+    const { req, res } = createReqRes({ query: {} })
+
+    await handler(req, res)
+
+    expect(res.json).toHaveBeenCalledWith(
+      expect.objectContaining({ success: true, redirectUrl: '/' })
+    )
+  })
+
+  it('sanitizes open-redirect attempts in returnTo', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({
+      ok: true,
+      json: async () => ({ valid: true, token: 'jwt-abc' }),
+    })
+    const handler = await getHandler()
+    const { req, res } = createReqRes({ query: { returnTo: '//evil.com' } })
+
+    await handler(req, res)
+
+    expect(res.json).toHaveBeenCalledWith(
+      expect.objectContaining({ redirectUrl: '/' })
+    )
+  })
+
+  it('sanitizes absolute URL in returnTo', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({
+      ok: true,
+      json: async () => ({ valid: true, token: 'jwt-abc' }),
+    })
+    const handler = await getHandler()
+    const { req, res } = createReqRes({
+      query: { returnTo: 'https://evil.com' },
+    })
+
+    await handler(req, res)
+
+    expect(res.json).toHaveBeenCalledWith(
+      expect.objectContaining({ redirectUrl: '/' })
+    )
+  })
+
+  it('returns 503 when fetch throws', async () => {
+    ;(global.fetch as Mock).mockRejectedValue(new Error('network failure'))
+    const handler = await getHandler()
+    const { req, res } = createReqRes()
+
+    await handler(req, res)
+
+    expect(res.status).toHaveBeenCalledWith(503)
+    expect(res.json).toHaveBeenCalledWith(
+      expect.objectContaining({ success: false })
+    )
+  })
+})

package/test/pages/password-protection.browser.test.tsx

@@ -0,0 +1,201 @@
+/**
+ * @vitest-environment jsdom
+ */
+
+import '@testing-library/jest-dom/vitest'
+import React from 'react'
+import {
+  cleanup,
+  fireEvent,
+  render,
+  screen,
+  waitFor,
+} from '@testing-library/react'
+import userEvent from '@testing-library/user-event'
+import {
+  afterEach,
+  beforeEach,
+  describe,
+  expect,
+  it,
+  vi,
+  type Mock,
+} from 'vitest'
+
+const mockUseRouter = vi.hoisted(() => vi.fn())
+
+vi.mock('next/router', () => ({
+  useRouter: mockUseRouter,
+}))
+
+vi.mock('next/head', () => ({
+  default: ({ children }: React.PropsWithChildren) => <>{children}</>,
+}))
+
+vi.mock(
+  '@faststore/ui',
+  () => ({
+    Button: ({
+      children,
+      loading,
+      ...props
+    }: React.PropsWithChildren<
+      React.ButtonHTMLAttributes<HTMLButtonElement> & { loading?: boolean }
+    >) => (
+      <button {...props} aria-busy={loading}>
+        {children}
+      </button>
+    ),
+    InputField: ({
+      label,
+      error,
+      ...props
+    }: React.InputHTMLAttributes<HTMLInputElement> & {
+      label: string
+      error?: string
+    }) => (
+      <label htmlFor={props.id}>
+        {label}
+        <input {...props} />
+        {error && <span role="alert">{error}</span>}
+      </label>
+    ),
+  }),
+  { virtual: true }
+)
+
+import PasswordProtectionLogin from '../../src/pages/password-protection'
+
+const originalLocation = window.location
+
+function stubLocation(origin = 'https://store.example.com') {
+  Object.defineProperty(window, 'location', {
+    configurable: true,
+    value: { ...originalLocation, origin, href: origin },
+  })
+}
+
+async function fillAndSubmit(password = 'secret') {
+  fireEvent.change(screen.getByLabelText('Password'), {
+    target: { value: password },
+  })
+  await userEvent.click(screen.getByRole('button', { name: 'Unlock' }))
+}
+
+describe('PasswordProtectionLogin', () => {
+  beforeEach(() => {
+    stubLocation()
+    mockUseRouter.mockReturnValue({ query: {} })
+    global.fetch = vi.fn()
+  })
+
+  afterEach(() => {
+    cleanup()
+    vi.clearAllMocks()
+    Object.defineProperty(window, 'location', {
+      configurable: true,
+      value: originalLocation,
+    })
+  })
+
+  it('renders the password protection form', () => {
+    render(<PasswordProtectionLogin />)
+
+    expect(
+      screen.queryByText('This store is password protected')
+    ).toBeInTheDocument()
+    expect(
+      screen.queryByText('Enter the password to access the store')
+    ).toBeInTheDocument()
+    expect(screen.queryByLabelText('Password')).toBeInTheDocument()
+    expect(screen.queryByRole('button', { name: 'Unlock' })).toBeInTheDocument()
+  })
+
+  it('posts the password and redirects to the requested return path', async () => {
+    mockUseRouter.mockReturnValue({
+      query: { returnTo: '/checkout?step=cart' },
+    })
+    ;(global.fetch as Mock).mockResolvedValue({
+      json: async () => ({
+        success: true,
+        redirectUrl: '/checkout?step=cart',
+      }),
+    })
+
+    render(<PasswordProtectionLogin />)
+    await fillAndSubmit()
+
+    await waitFor(() => {
+      expect(global.fetch).toHaveBeenCalled()
+    })
+
+    const [requestUrl, requestInit] = (global.fetch as Mock).mock.calls[0]
+    const url = new URL(requestUrl)
+
+    expect(url.pathname).toBe('/api/fs/password-protection/unlock')
+    expect(url.searchParams.get('returnTo')).toBe('/checkout?step=cart')
+    expect(requestInit).toMatchObject({
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ password: 'secret' }),
+    })
+    expect(window.location.href).toBe('/checkout?step=cart')
+  })
+
+  it('defaults returnTo to root and shows API validation errors', async () => {
+    mockUseRouter.mockReturnValue({ query: { returnTo: ['/unsafe'] } })
+    ;(global.fetch as Mock).mockResolvedValue({
+      json: async () => ({
+        success: false,
+        error: 'Invalid password',
+      }),
+    })
+
+    render(<PasswordProtectionLogin />)
+    await fillAndSubmit('wrong')
+
+    expect((await screen.findByRole('alert')).textContent).toBe(
+      'Invalid password'
+    )
+
+    const [requestUrl] = (global.fetch as Mock).mock.calls[0]
+    expect(new URL(requestUrl).searchParams.get('returnTo')).toBe('/')
+  })
+
+  it('uses the fallback invalid-password message when API omits an error', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({
+      json: async () => ({ success: false }),
+    })
+
+    render(<PasswordProtectionLogin />)
+    await fillAndSubmit()
+
+    expect((await screen.findByRole('alert')).textContent).toBe(
+      'Invalid password'
+    )
+  })
+
+  it('shows service unavailable when the response is not a login payload', async () => {
+    ;(global.fetch as Mock).mockResolvedValue({
+      json: async () => null,
+    })
+
+    render(<PasswordProtectionLogin />)
+    await fillAndSubmit()
+
+    expect((await screen.findByRole('alert')).textContent).toBe(
+      'Service temporarily unavailable'
+    )
+  })
+
+  it('shows service unavailable when the login request fails', async () => {
+    ;(global.fetch as Mock).mockRejectedValue(new Error('network'))
+
+    render(<PasswordProtectionLogin />)
+    await fillAndSubmit()
+
+    expect((await screen.findByRole('alert')).textContent).toBe(
+      'Service temporarily unavailable'
+    )
+  })
+})

package/test/proxy.test.ts

@@ -0,0 +1,99 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const checkStoreProtectionMock = vi.hoisted(() => vi.fn())
+
+vi.mock('discovery.config', () => ({
+  __esModule: true,
+  default: {
+    localization: {
+      enabled: false,
+      locales: {},
+    },
+  },
+}))
+
+vi.mock('../src/server/password-protection-service', () => ({
+  PasswordProtectionService: class {
+    checkStoreProtection = checkStoreProtectionMock
+  },
+}))
+
+vi.mock('src/utils/localization/bindingPaths', () => ({
+  getCustomPathsFromBindings: vi.fn(() => []),
+  getSubdomainBindings: vi.fn(() => []),
+  isValidLocale: vi.fn(() => false),
+}))
+
+function request(path = '/products'): NextRequest {
+  return new NextRequest(`https://store.example.com${path}`, {
+    headers: { host: 'store.example.com' },
+  })
+}
+
+describe('proxy', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('returns an error response when access check throws', async () => {
+    checkStoreProtectionMock.mockRejectedValue(new Error('access check failed'))
+    const { proxy } = await import('../src/proxy')
+
+    const response = await proxy(request('/products'))
+
+    expect(response.type).toBe('error')
+  })
+
+  it('returns the protection response when access is blocked', async () => {
+    const redirect = NextResponse.redirect(
+      new URL(
+        '/password-protection?returnTo=%2Fproducts',
+        'https://store.example.com'
+      )
+    )
+    checkStoreProtectionMock.mockResolvedValue({ response: redirect })
+    const { proxy } = await import('../src/proxy')
+
+    const response = await proxy(request('/products'))
+
+    expect(response).toBe(redirect)
+    expect(response.status).toBe(307)
+    expect(response.headers.get('location')).toContain('/password-protection')
+  })
+
+  it('continues the request and copies protection cookies when access is allowed', async () => {
+    const protectionResponse = NextResponse.next()
+    protectionResponse.cookies.set('__fs_password_protection', 'jwt-abc')
+    checkStoreProtectionMock.mockResolvedValue({ response: protectionResponse })
+    const { proxy } = await import('../src/proxy')
+
+    const response = (await proxy(request('/products?sku=1'))) as NextResponse
+
+    expect(response.status).toBe(200)
+    expect(response.cookies.get('__fs_password_protection')?.value).toBe(
+      'jwt-abc'
+    )
+  })
+
+  it('keeps the root and data routes in the matcher configuration', async () => {
+    const { config } = await import('../src/proxy')
+    const dynamicRouteMatcher = config.matcher[1]
+    const matcherRegex = new RegExp(`^${dynamicRouteMatcher}$`)
+
+    expect(config.matcher).toContain('/')
+    expect(config.matcher).toContain('/_next/data/:path*')
+    expect(config.matcher).toEqual(
+      expect.arrayContaining([
+        expect.stringContaining('api/fs/password-protection/unlock$'),
+        expect.stringContaining('password-protection'),
+        expect.stringContaining('~partytown'),
+      ])
+    )
+    expect(config.matcher).not.toEqual(
+      expect.arrayContaining([expect.stringContaining('(?!api|')])
+    )
+    expect(matcherRegex.test('/api/fs/password-protection/unlock')).toBe(false)
+    expect(matcherRegex.test('/api/products')).toBe(true)
+  })
+})