@ihazz/bitrix24 0.2.5 → 1.0.1

package/tests/access-control.test.ts

@@ -1,5 +1,11 @@
 import { describe, it, expect, vi } from 'vitest';
-import { checkAccess, normalizeAllowEntry, checkAccessWithPairing } from '../src/access-control.js';
+import {
+  checkAccess,
+  checkAccessWithPairing,
+  getWebhookUserId,
+  normalizeAllowEntry,
+  normalizeAllowList,
+} from '../src/access-control.js';
 import type { PluginRuntime, ChannelPairingAdapter } from '../src/runtime.js';
 
 describe('normalizeAllowEntry', () => {
@@ -30,51 +36,72 @@ describe('normalizeAllowEntry', () => {
   });
 });
 
-describe('checkAccess', () => {
-  it('allows everyone in open mode', () => {
-    expect(checkAccess('1', { dmPolicy: 'open' })).toBe(true);
-    expect(checkAccess('999', { dmPolicy: 'open' })).toBe(true);
+describe('normalizeAllowList', () => {
+  it('normalizes, deduplicates and filters empty allowFrom entries', () => {
+    expect(normalizeAllowList([' bitrix24:42 ', '42', 'b24:7', ''])).toEqual(['42', '7']);
   });
 
-  it('defaults to pairing (returns false without runtime)', () => {
-    expect(checkAccess('1', {})).toBe(false);
+  it('returns empty list for missing allowFrom config', () => {
+    expect(normalizeAllowList(undefined)).toEqual([]);
   });
+});
 
-  it('allows listed users in allowlist mode', () => {
-    const config = { dmPolicy: 'allowlist' as const, allowFrom: ['1', '42'] };
-    expect(checkAccess('1', config)).toBe(true);
-    expect(checkAccess('42', config)).toBe(true);
+describe('getWebhookUserId', () => {
+  it('extracts owner ID from webhook URL', () => {
+    expect(getWebhookUserId('https://test.bitrix24.com/rest/42/token/')).toBe('42');
   });
 
-  it('denies unlisted users in allowlist mode', () => {
-    const config = { dmPolicy: 'allowlist' as const, allowFrom: ['1', '42'] };
-    expect(checkAccess('99', config)).toBe(false);
+  it('normalizes prefixed user IDs', () => {
+    expect(getWebhookUserId('https://test.bitrix24.com/rest/b24:42/token/')).toBe('42');
+  });
+
+  it('returns null for invalid URLs', () => {
+    expect(getWebhookUserId('not-a-url')).toBeNull();
   });
 
-  it('handles allowlist with prefixes', () => {
-    const config = { dmPolicy: 'allowlist' as const, allowFrom: ['b24:1', 'bitrix24:42'] };
-    expect(checkAccess('1', config)).toBe(true);
+  it('returns null when rest segment is missing', () => {
+    expect(getWebhookUserId('https://test.bitrix24.com/api/42/token/')).toBeNull();
+  });
+});
+
+describe('checkAccess', () => {
+  it('defaults to webhookUser and denies without a valid webhook owner', () => {
+    expect(checkAccess('1', {})).toBe(false);
+  });
+
+  it('allows only the webhook owner in webhookUser mode', () => {
+    const config = {
+      dmPolicy: 'webhookUser' as const,
+      webhookUrl: 'https://test.bitrix24.com/rest/42/token/',
+    };
+
     expect(checkAccess('42', config)).toBe(true);
     expect(checkAccess('99', config)).toBe(false);
   });
 
-  it('denies everyone when allowlist is empty', () => {
-    const config = { dmPolicy: 'allowlist' as const, allowFrom: [] };
-    expect(checkAccess('1', config)).toBe(false);
+  it('allows webhook owner when dmPolicy is omitted', () => {
+    expect(checkAccess('42', { webhookUrl: 'https://test.bitrix24.com/rest/42/token/' })).toBe(true);
   });
 
-  it('denies when allowlist is undefined', () => {
-    const config = { dmPolicy: 'allowlist' as const };
-    expect(checkAccess('1', config)).toBe(false);
+  it('keeps senderId as the access identity even when direct dialogId differs', () => {
+    const config = {
+      dmPolicy: 'webhookUser' as const,
+      webhookUrl: 'https://test.bitrix24.com/rest/42/token/',
+    };
+
+    expect(checkAccess('42', config, { dialogId: '2386', isDirect: true })).toBe(true);
+    expect(checkAccess('77', config, { dialogId: '42', isDirect: true })).toBe(false);
+  });
+
+  it('denies when webhookUser mode has no valid webhook owner', () => {
+    expect(checkAccess('42', { dmPolicy: 'webhookUser', webhookUrl: 'invalid' })).toBe(false);
   });
 
-  it('returns false for pairing mode (requires runtime)', () => {
+  it('returns false for pairing mode without runtime state', () => {
     expect(checkAccess('1', { dmPolicy: 'pairing' })).toBe(false);
   });
 });
 
-// ─── checkAccessWithPairing ─────────────────────────────────────────────────
-
 function makeMockRuntime(storeAllowFrom: string[] = []): PluginRuntime {
   return {
     config: { loadConfig: () => ({}) },
@@ -88,7 +115,7 @@ function makeMockRuntime(storeAllowFrom: string[] = []): PluginRuntime {
       pairing: {
         readAllowFromStore: vi.fn().mockResolvedValue(storeAllowFrom),
         upsertPairingRequest: vi.fn().mockResolvedValue({ code: 'ABCD1234', created: true }),
-        buildPairingReply: vi.fn().mockReturnValue({ text: 'Your pairing code: ABCD1234' }),
+        buildPairingReply: vi.fn().mockReturnValue('Your pairing code: ABCD1234'),
       },
     },
     logging: { getChildLogger: () => ({ info: vi.fn(), warn: vi.fn(), error: vi.fn(), debug: vi.fn() }) },
@@ -100,41 +127,112 @@ const mockAdapter: ChannelPairingAdapter = {
   normalizeAllowEntry: (entry) => entry.replace(/^(bitrix24|b24|bx24):/i, ''),
 };
 
-const silentLogger = { debug: () => {} };
+const silentLogger = { debug: vi.fn() };
 
 describe('checkAccessWithPairing', () => {
-  it('returns allow for open policy', async () => {
+  it('defaults to webhookUser when dmPolicy is omitted', async () => {
     const runtime = makeMockRuntime();
+
     const result = await checkAccessWithPairing({
-      senderId: '1',
-      config: { dmPolicy: 'open' },
+      senderId: '42',
+      config: { webhookUrl: 'https://test.bitrix24.com/rest/42/token/' },
       runtime,
       accountId: 'default',
       pairingAdapter: mockAdapter,
       sendReply: vi.fn(),
       logger: silentLogger,
     });
+
     expect(result).toBe('allow');
-    // Should NOT read store for open policy
     expect(runtime.channel.pairing.readAllowFromStore).not.toHaveBeenCalled();
   });
 
-  it('returns allow when sender is in config allowFrom', async () => {
+  it('allows only the webhook owner in webhookUser mode', async () => {
     const runtime = makeMockRuntime();
+    const sendReply = vi.fn();
+
     const result = await checkAccessWithPairing({
       senderId: '42',
-      config: { dmPolicy: 'pairing', allowFrom: ['42'] },
+      config: {
+        dmPolicy: 'webhookUser',
+        webhookUrl: 'https://test.bitrix24.com/rest/42/token/',
+      },
       runtime,
       accountId: 'default',
       pairingAdapter: mockAdapter,
-      sendReply: vi.fn(),
+      sendReply,
       logger: silentLogger,
     });
+
     expect(result).toBe('allow');
+    expect(runtime.channel.pairing.readAllowFromStore).not.toHaveBeenCalled();
+    expect(runtime.channel.pairing.upsertPairingRequest).not.toHaveBeenCalled();
+    expect(sendReply).not.toHaveBeenCalled();
   });
 
-  it('returns allow when sender is in file store', async () => {
+  it('keeps senderId as the identity in webhookUser mode even when dialogId differs', async () => {
+    const runtime = makeMockRuntime();
+
+    const allowed = await checkAccessWithPairing({
+      senderId: '42',
+      dialogId: '2386',
+      isDirect: true,
+      config: {
+        dmPolicy: 'webhookUser',
+        webhookUrl: 'https://test.bitrix24.com/rest/42/token/',
+      },
+      runtime,
+      accountId: 'default',
+      pairingAdapter: mockAdapter,
+      sendReply: vi.fn(),
+      logger: silentLogger,
+    });
+
+    const denied = await checkAccessWithPairing({
+      senderId: '77',
+      dialogId: '42',
+      isDirect: true,
+      config: {
+        dmPolicy: 'webhookUser',
+        webhookUrl: 'https://test.bitrix24.com/rest/42/token/',
+      },
+      runtime,
+      accountId: 'default',
+      pairingAdapter: mockAdapter,
+      sendReply: vi.fn(),
+      logger: silentLogger,
+    });
+
+    expect(allowed).toBe('allow');
+    expect(denied).toBe('deny');
+  });
+
+  it('denies non-owner users in webhookUser mode', async () => {
+    const runtime = makeMockRuntime();
+    const sendReply = vi.fn();
+
+    const result = await checkAccessWithPairing({
+      senderId: '77',
+      config: {
+        dmPolicy: 'webhookUser',
+        webhookUrl: 'https://test.bitrix24.com/rest/42/token/',
+      },
+      runtime,
+      accountId: 'default',
+      pairingAdapter: mockAdapter,
+      sendReply,
+      logger: silentLogger,
+    });
+
+    expect(result).toBe('deny');
+    expect(runtime.channel.pairing.readAllowFromStore).not.toHaveBeenCalled();
+    expect(runtime.channel.pairing.upsertPairingRequest).not.toHaveBeenCalled();
+    expect(sendReply).not.toHaveBeenCalled();
+  });
+
+  it('returns allow when sender is in pairing store', async () => {
     const runtime = makeMockRuntime(['42']);
+
     const result = await checkAccessWithPairing({
       senderId: '42',
       config: { dmPolicy: 'pairing' },
@@ -144,40 +242,68 @@ describe('checkAccessWithPairing', () => {
       sendReply: vi.fn(),
       logger: silentLogger,
     });
+
     expect(result).toBe('allow');
   });
 
-  it('merges config and store allowFrom (deduped)', async () => {
-    const runtime = makeMockRuntime(['42', '99']);
+  it('returns allow when sender is in config allowFrom', async () => {
+    const runtime = makeMockRuntime();
+
     const result = await checkAccessWithPairing({
-      senderId: '99',
-      config: { dmPolicy: 'allowlist', allowFrom: ['42'] },
+      senderId: '42',
+      config: {
+        dmPolicy: 'pairing',
+        allowFrom: ['bitrix24:42'],
+      },
       runtime,
       accountId: 'default',
       pairingAdapter: mockAdapter,
       sendReply: vi.fn(),
       logger: silentLogger,
     });
+
     expect(result).toBe('allow');
+    expect(runtime.channel.pairing.upsertPairingRequest).not.toHaveBeenCalled();
   });
 
-  it('returns deny for allowlist when sender not in merged list', async () => {
+  it('uses senderId as the pairing identity even when direct dialogId differs', async () => {
     const runtime = makeMockRuntime(['42']);
+
     const result = await checkAccessWithPairing({
-      senderId: '999',
-      config: { dmPolicy: 'allowlist', allowFrom: ['1'] },
+      senderId: '42',
+      dialogId: '42',
+      isDirect: true,
+      config: { dmPolicy: 'pairing' },
       runtime,
       accountId: 'default',
       pairingAdapter: mockAdapter,
       sendReply: vi.fn(),
       logger: silentLogger,
     });
-    expect(result).toBe('deny');
+
+    expect(result).toBe('allow');
+  });
+
+  it('normalizes prefixed entries from pairing store', async () => {
+    const runtime = makeMockRuntime(['b24:42']);
+
+    const result = await checkAccessWithPairing({
+      senderId: '42',
+      config: { dmPolicy: 'pairing' },
+      runtime,
+      accountId: 'default',
+      pairingAdapter: mockAdapter,
+      sendReply: vi.fn(),
+      logger: silentLogger,
+    });
+
+    expect(result).toBe('allow');
   });
 
   it('upserts pairing request and sends reply for new pairing', async () => {
     const runtime = makeMockRuntime();
     const sendReply = vi.fn();
+
     const result = await checkAccessWithPairing({
       senderId: '77',
       config: { dmPolicy: 'pairing' },
@@ -187,7 +313,9 @@ describe('checkAccessWithPairing', () => {
       sendReply,
       logger: silentLogger,
     });
+
     expect(result).toBe('pairing');
+    expect(runtime.channel.pairing.readAllowFromStore).toHaveBeenCalledWith('bitrix24', '', 'default');
     expect(runtime.channel.pairing.upsertPairingRequest).toHaveBeenCalledWith({
       channel: 'bitrix24',
       id: '77',
@@ -210,6 +338,7 @@ describe('checkAccessWithPairing', () => {
       created: false,
     });
     const sendReply = vi.fn();
+
     const result = await checkAccessWithPairing({
       senderId: '77',
       config: { dmPolicy: 'pairing' },
@@ -219,21 +348,8 @@ describe('checkAccessWithPairing', () => {
       sendReply,
       logger: silentLogger,
     });
+
     expect(result).toBe('pairing');
     expect(sendReply).not.toHaveBeenCalled();
   });
-
-  it('normalizes config allowFrom entries with prefixes', async () => {
-    const runtime = makeMockRuntime();
-    const result = await checkAccessWithPairing({
-      senderId: '42',
-      config: { dmPolicy: 'pairing', allowFrom: ['b24:42'] },
-      runtime,
-      accountId: 'default',
-      pairingAdapter: mockAdapter,
-      sendReply: vi.fn(),
-      logger: silentLogger,
-    });
-    expect(result).toBe('allow');
-  });
 });

package/tests/api.test.ts

@@ -0,0 +1,95 @@
+import { describe, it, expect, vi, afterEach } from 'vitest';
+import { Bitrix24Api } from '../src/api.js';
+import { Bitrix24ApiError } from '../src/utils.js';
+
+const silentLogger = {
+  info: vi.fn(),
+  warn: vi.fn(),
+  error: vi.fn(),
+  debug: vi.fn(),
+};
+
+describe('Bitrix24Api', () => {
+  afterEach(() => {
+    vi.useRealTimers();
+    vi.restoreAllMocks();
+  });
+
+  it('calls webhook with a request timeout signal', async () => {
+    const api = new Bitrix24Api({ logger: silentLogger });
+    const fetchSpy = vi.spyOn(globalThis, 'fetch').mockResolvedValueOnce(
+      new Response(JSON.stringify({ result: { ok: true } }), { status: 200 }),
+    );
+
+    const result = await api.callWebhook(
+      'https://test.bitrix24.com/rest/1/token/',
+      'profile',
+      { foo: 'bar' },
+    );
+
+    expect(result).toEqual({ result: { ok: true } });
+    expect(fetchSpy).toHaveBeenCalledWith(
+      'https://test.bitrix24.com/rest/1/token/profile.json',
+      expect.objectContaining({
+        method: 'POST',
+        body: JSON.stringify({ foo: 'bar' }),
+        signal: expect.any(AbortSignal),
+      }),
+    );
+  });
+
+  it('maps timeout errors to Bitrix24ApiError', async () => {
+    const api = new Bitrix24Api({ logger: silentLogger });
+    vi.useFakeTimers();
+    vi.spyOn(globalThis, 'fetch').mockRejectedValue(
+      Object.assign(new Error('timed out'), { name: 'TimeoutError' }),
+    );
+
+    const assertion = expect(
+      api.callWebhook('https://test.bitrix24.com/rest/1/token/', 'profile'),
+    ).rejects.toMatchObject({
+      name: 'Bitrix24ApiError',
+      code: 'TIMEOUT',
+    });
+    await vi.runAllTimersAsync();
+    await assertion;
+  });
+
+  it('retries transient network fetch failures', async () => {
+    const api = new Bitrix24Api({ logger: silentLogger });
+    vi.useFakeTimers();
+    const fetchSpy = vi.spyOn(globalThis, 'fetch')
+      .mockRejectedValueOnce(Object.assign(new TypeError('fetch failed'), {
+        cause: { code: 'ECONNRESET' },
+      }))
+      .mockResolvedValueOnce(
+        new Response(JSON.stringify({ result: { ok: true } }), { status: 200 }),
+      );
+
+    const assertion = expect(api.callWebhook(
+      'https://test.bitrix24.com/rest/1/token/',
+      'profile',
+      { foo: 'bar' },
+    )).resolves.toEqual({ result: { ok: true } });
+    await vi.runAllTimersAsync();
+    await assertion;
+    expect(fetchSpy).toHaveBeenCalledTimes(2);
+  });
+
+  it('throws INVALID_RESPONSE when sendMessage result has no valid id', async () => {
+    const api = new Bitrix24Api({ logger: silentLogger });
+    vi.spyOn(api, 'callWebhook').mockResolvedValueOnce({
+      result: {} as never,
+    });
+
+    await expect(api.sendMessage(
+      'https://test.bitrix24.com/rest/1/token/',
+      { botId: 7, botToken: 'bot_token' },
+      '42',
+      'hello',
+    )).rejects.toMatchObject({
+      name: 'Bitrix24ApiError',
+      code: 'INVALID_RESPONSE',
+    });
+  });
+});