@nextsparkjs/theme-default 0.1.0-beta.20 → 0.1.0-beta.22

package/tests/cypress/e2e/api/billing/check-action.cy.ts

@@ -0,0 +1,326 @@
+// @ts-nocheck
+/// <reference types="cypress" />
+
+/**
+ * Billing API - check-action Endpoint Tests
+ *
+ * FIX1: Tests for the check-action endpoint that validates:
+ * - RBAC permissions (role-based access control)
+ * - Plan features (subscription-based access)
+ * - Quota limits (usage-based access)
+ *
+ * Session: 2025-12-20-subscriptions-system-v2
+ * Phase: 9 (api-tester)
+ */
+
+import * as allure from 'allure-cypress'
+
+const BillingAPIController = require('./BillingAPIController.js')
+
+describe('Billing API - check-action Endpoint', () => {
+  let billingAPI: any
+
+  const SUPERADMIN_API_KEY = 'test_api_key_for_testing_purposes_only_not_a_real_secret_key_abc123'
+  const TEAM_ID = 'team-tmt-001'
+  const BASE_URL = Cypress.config('baseUrl') || 'http://localhost:5173'
+
+  before(() => {
+    billingAPI = new BillingAPIController(BASE_URL, SUPERADMIN_API_KEY, TEAM_ID)
+    cy.log('BillingAPIController initialized')
+    cy.log(`Base URL: ${BASE_URL}`)
+    cy.log(`Team ID: ${TEAM_ID}`)
+  })
+
+  beforeEach(() => {
+    allure.epic('API')
+    allure.feature('Billing')
+    allure.story('check-action Endpoint')
+  })
+
+  // ============================================================
+  // TEST 1: Authentication
+  // ============================================================
+  describe('Authentication', () => {
+    it('BILLING_API_001: Should return 401 without authentication', () => {
+      allure.severity('critical')
+
+      // Remove API key
+      const originalApiKey = billingAPI.apiKey
+      billingAPI.setApiKey(null)
+
+      billingAPI.checkAction('tasks.create').then((response: any) => {
+        expect(response.status).to.eq(401)
+        expect(response.body.success).to.be.false
+
+        cy.log('✓ Returns 401 without auth')
+      })
+
+      // Restore API key
+      billingAPI.setApiKey(originalApiKey)
+    })
+
+    it('BILLING_API_002: Should accept API key authentication', () => {
+      allure.severity('critical')
+
+      billingAPI.checkAction('tasks.create').then((response: any) => {
+        expect(response.status).to.eq(200)
+        expect(response.body.success).to.be.true
+
+        cy.log('✓ Accepts API key authentication')
+      })
+    })
+
+    it('BILLING_API_003: Should require team context', () => {
+      allure.severity('critical')
+
+      // Remove team ID
+      const originalTeamId = billingAPI.teamId
+      billingAPI.setTeamId(null)
+
+      billingAPI.checkAction('tasks.create').then((response: any) => {
+        expect(response.status).to.eq(400)
+        expect(response.body.success).to.be.false
+        expect(response.body.error).to.include('team context')
+
+        cy.log('✓ Requires team context')
+      })
+
+      // Restore team ID
+      billingAPI.setTeamId(originalTeamId)
+    })
+  })
+
+  // ============================================================
+  // TEST 2: Allowed Actions (RBAC + Feature + Quota Pass)
+  // ============================================================
+  describe('Allowed Actions', () => {
+    it('BILLING_API_010: Should allow action with valid permissions', () => {
+      allure.severity('critical')
+
+      // Superadmin has all permissions
+      billingAPI.checkAction('tasks.create').then((response: any) => {
+        billingAPI.validateCheckActionResponse(response, true)
+
+        expect(response.body.data.allowed).to.be.true
+        expect(response.body.data.reason).to.be.undefined
+
+        cy.log('✓ Action allowed for superadmin')
+        cy.log(`Action: tasks.create`)
+      })
+    })
+
+    it('BILLING_API_011: Should allow multiple different actions', () => {
+      const actions = [
+        'tasks.create',
+        'customers.create',
+        'analytics.view_advanced',
+        'tasks.automate'
+      ]
+
+      actions.forEach((action) => {
+        billingAPI.checkAction(action).then((response: any) => {
+          expect(response.status).to.eq(200)
+          expect(response.body.data.allowed).to.be.true
+
+          cy.log(`✓ ${action} allowed`)
+        })
+      })
+    })
+  })
+
+  // ============================================================
+  // TEST 3: Feature Not in Plan (Subscription-based Access)
+  // ============================================================
+  describe('Feature Restrictions', () => {
+    it('BILLING_API_020: Should return feature_not_in_plan for missing feature', () => {
+      allure.severity('critical')
+
+      // This test assumes there's a feature that free plan doesn't have
+      // For now, we'll test the endpoint structure
+      // In a real scenario, you'd create a test user with free plan
+
+      cy.log('Note: This test checks endpoint structure')
+      cy.log('Full test requires multi-team setup with different plans')
+
+      // Using a hypothetical enterprise-only feature
+      billingAPI.checkAction('auth.configure_sso').then((response: any) => {
+        expect(response.status).to.eq(200)
+        expect(response.body.success).to.be.true
+        expect(response.body.data).to.have.property('allowed')
+
+        // With superadmin, this might be allowed or restricted
+        // The key is the endpoint works correctly
+        cy.log(`✓ Endpoint responds for feature check`)
+        cy.log(`Allowed: ${response.body.data.allowed}`)
+
+        if (!response.body.data.allowed) {
+          expect(response.body.data.reason).to.be.oneOf([
+            'feature_not_in_plan',
+            'no_permission'
+          ])
+        }
+      })
+    })
+
+    it('BILLING_API_021: Should check wildcard feature access', () => {
+      // Test wildcard feature support (*)
+      billingAPI.checkAction('custom.any_action').then((response: any) => {
+        expect(response.status).to.eq(200)
+        expect(response.body.success).to.be.true
+
+        // Superadmin with * should allow any action
+        cy.log(`✓ Wildcard feature check works`)
+        cy.log(`Allowed: ${response.body.data.allowed}`)
+      })
+    })
+  })
+
+  // ============================================================
+  // TEST 4: Quota Exceeded (Usage-based Access)
+  // ============================================================
+  describe('Quota Limits', () => {
+    it('BILLING_API_030: Should return quota info when checking limits', () => {
+      allure.severity('normal')
+
+      // Check an action that has quota limits
+      billingAPI.checkAction('tasks.create').then((response: any) => {
+        expect(response.status).to.eq(200)
+        expect(response.body.success).to.be.true
+        expect(response.body.data).to.have.property('allowed')
+
+        // If there's a quota check, it should include quota info
+        if (response.body.data.quota) {
+          expect(response.body.data.quota).to.have.property('current')
+          expect(response.body.data.quota).to.have.property('max')
+          expect(response.body.data.quota).to.have.property('allowed')
+
+          cy.log(`✓ Quota info included`)
+          cy.log(`Current: ${response.body.data.quota.current}/${response.body.data.quota.max}`)
+        } else {
+          cy.log('Note: No quota limit for this action')
+        }
+      })
+    })
+
+    it('BILLING_API_031: Should handle quota_exceeded scenario', () => {
+      // This test would require setting up a user at quota limit
+      // For now, we verify the endpoint handles the check correctly
+
+      cy.log('Note: Full quota_exceeded test requires quota setup')
+      cy.log('This verifies endpoint response structure')
+
+      billingAPI.checkAction('tasks.create').then((response: any) => {
+        expect(response.status).to.eq(200)
+        expect(response.body.data).to.have.property('allowed')
+
+        if (!response.body.data.allowed && response.body.data.reason === 'quota_exceeded') {
+          expect(response.body.data.quota).to.exist
+          expect(response.body.data.quota.current).to.be.gte(response.body.data.quota.max)
+
+          cy.log(`✓ Quota exceeded response correct`)
+        } else {
+          cy.log(`✓ User not at quota limit (allowed: ${response.body.data.allowed})`)
+        }
+      })
+    })
+  })
+
+  // ============================================================
+  // TEST 5: Validation & Error Handling
+  // ============================================================
+  describe('Validation', () => {
+    it('BILLING_API_040: Should reject request without action', () => {
+      allure.severity('normal')
+
+      cy.request({
+        method: 'POST',
+        url: `${BASE_URL}/api/v1/billing/check-action`,
+        headers: billingAPI.getHeaders(),
+        body: {},
+        failOnStatusCode: false
+      }).then((response) => {
+        expect(response.status).to.eq(400)
+        expect(response.body.success).to.be.false
+        expect(response.body.error).to.include('Validation')
+
+        cy.log('✓ Rejects empty action')
+      })
+    })
+
+    it('BILLING_API_041: Should reject invalid JSON', () => {
+      cy.request({
+        method: 'POST',
+        url: `${BASE_URL}/api/v1/billing/check-action`,
+        headers: {
+          ...billingAPI.getHeaders(),
+          'Content-Type': 'application/json'
+        },
+        body: 'invalid json',
+        failOnStatusCode: false
+      }).then((response) => {
+        expect(response.status).to.eq(400)
+        expect(response.body.success).to.be.false
+
+        cy.log('✓ Rejects invalid JSON')
+      })
+    })
+
+    it('BILLING_API_042: Should validate action is non-empty string', () => {
+      cy.request({
+        method: 'POST',
+        url: `${BASE_URL}/api/v1/billing/check-action`,
+        headers: billingAPI.getHeaders(),
+        body: { action: '' },
+        failOnStatusCode: false
+      }).then((response) => {
+        expect(response.status).to.eq(400)
+        expect(response.body.success).to.be.false
+
+        cy.log('✓ Rejects empty action string')
+      })
+    })
+  })
+
+  // ============================================================
+  // TEST 6: Integration - Complete Flow
+  // ============================================================
+  describe('Integration', () => {
+    it('BILLING_API_100: Should complete full permission check flow', () => {
+      allure.severity('critical')
+
+      const testAction = 'tasks.create'
+
+      // 1. Check action permission
+      billingAPI.checkAction(testAction).then((checkResponse: any) => {
+        expect(checkResponse.status).to.eq(200)
+        expect(checkResponse.body.success).to.be.true
+
+        cy.log(`1. Permission check: ${checkResponse.body.data.allowed ? 'ALLOWED' : 'DENIED'}`)
+
+        if (checkResponse.body.data.allowed) {
+          cy.log(`   ✓ User can perform: ${testAction}`)
+
+          if (checkResponse.body.data.quota) {
+            cy.log(`   Quota: ${checkResponse.body.data.quota.current}/${checkResponse.body.data.quota.max}`)
+          }
+        } else {
+          cy.log(`   ✗ Reason: ${checkResponse.body.data.reason}`)
+
+          if (checkResponse.body.data.quota) {
+            cy.log(`   Quota exceeded: ${checkResponse.body.data.quota.current}/${checkResponse.body.data.quota.max}`)
+          }
+        }
+
+        // 2. Verify response structure is consistent
+        expect(checkResponse.body.data).to.have.property('allowed')
+
+        if (!checkResponse.body.data.allowed) {
+          expect(checkResponse.body.data).to.have.property('reason')
+        }
+
+        cy.log('2. Response structure validated')
+        cy.log('✓ Full permission check flow completed')
+      })
+    })
+  })
+})

package/tests/cypress/e2e/api/billing/checkout.cy.ts

@@ -0,0 +1,358 @@
+// @ts-nocheck
+/// <reference types="cypress" />
+
+/**
+ * Billing API - Checkout Endpoint Tests
+ *
+ * P2: Stripe Integration - Tests for checkout session creation
+ * Tests the /api/v1/billing/checkout endpoint that creates Stripe Checkout sessions
+ *
+ * Session: 2025-12-20-subscriptions-system-v2
+ * Phase: 9 (api-tester)
+ */
+
+import * as allure from 'allure-cypress'
+
+const BillingAPIController = require('./BillingAPIController.js')
+
+describe('Billing API - Checkout Endpoint', () => {
+  let billingAPI: any
+
+  const SUPERADMIN_API_KEY = 'test_api_key_for_testing_purposes_only_not_a_real_secret_key_abc123'
+  const TEAM_ID = 'team-tmt-001'
+  const BASE_URL = Cypress.config('baseUrl') || 'http://localhost:5173'
+
+  before(() => {
+    billingAPI = new BillingAPIController(BASE_URL, SUPERADMIN_API_KEY, TEAM_ID)
+    cy.log('BillingAPIController initialized for Checkout tests')
+  })
+
+  beforeEach(() => {
+    allure.epic('API')
+    allure.feature('Billing')
+    allure.story('Checkout Endpoint')
+  })
+
+  // ============================================================
+  // TEST 1: Authentication
+  // ============================================================
+  describe('Authentication', () => {
+    it('CHECKOUT_API_001: Should return 401 without authentication', () => {
+      allure.severity('critical')
+
+      const originalApiKey = billingAPI.apiKey
+      billingAPI.setApiKey(null)
+
+      billingAPI.createCheckout({
+        planSlug: 'pro',
+        billingPeriod: 'monthly'
+      }).then((response: any) => {
+        expect(response.status).to.eq(401)
+        expect(response.body.success).to.be.false
+
+        cy.log('✓ Returns 401 without auth')
+      })
+
+      billingAPI.setApiKey(originalApiKey)
+    })
+
+    it('CHECKOUT_API_002: Should accept API key authentication', () => {
+      allure.severity('critical')
+
+      billingAPI.createCheckout({
+        planSlug: 'pro',
+        billingPeriod: 'monthly'
+      }).then((response: any) => {
+        // Should succeed (200) or fail gracefully (500) if Stripe not configured
+        expect([200, 500]).to.include(response.status)
+
+        if (response.status === 200) {
+          cy.log('✓ Checkout created successfully')
+        } else {
+          cy.log('✓ Auth passed, Stripe config may be missing (expected in test env)')
+        }
+      })
+    })
+  })
+
+  // ============================================================
+  // TEST 2: Validation
+  // ============================================================
+  describe('Validation', () => {
+    it('CHECKOUT_API_010: Should reject request without planSlug', () => {
+      allure.severity('critical')
+
+      billingAPI.createCheckout({
+        billingPeriod: 'monthly'
+      }).then((response: any) => {
+        expect(response.status).to.eq(400)
+        expect(response.body.success).to.be.false
+        expect(response.body.error).to.include('Validation')
+
+        cy.log('✓ Rejects missing planSlug')
+      })
+    })
+
+    it('CHECKOUT_API_011: Should reject invalid billingPeriod', () => {
+      billingAPI.createCheckout({
+        planSlug: 'pro',
+        billingPeriod: 'invalid-period'
+      }).then((response: any) => {
+        expect(response.status).to.eq(400)
+        expect(response.body.success).to.be.false
+
+        cy.log('✓ Rejects invalid billingPeriod')
+      })
+    })
+
+    it('CHECKOUT_API_012: Should default billingPeriod to monthly', () => {
+      billingAPI.createCheckout({
+        planSlug: 'pro'
+        // No billingPeriod specified
+      }).then((response: any) => {
+        // Should accept and default to 'monthly'
+        // May fail with 500 if Stripe not configured, which is OK
+        expect([200, 500]).to.include(response.status)
+
+        if (response.status === 500 && response.body.error) {
+          // Error might mention monthly in the context
+          cy.log('✓ Request accepted, defaults to monthly (Stripe config issue)')
+        } else if (response.status === 200) {
+          cy.log('✓ Defaults to monthly and creates session')
+        }
+      })
+    })
+
+    it('CHECKOUT_API_013: Should require team context', () => {
+      const originalTeamId = billingAPI.teamId
+      billingAPI.setTeamId(null)
+
+      billingAPI.createCheckout({
+        planSlug: 'pro',
+        billingPeriod: 'monthly'
+      }).then((response: any) => {
+        expect(response.status).to.eq(400)
+        expect(response.body.success).to.be.false
+        expect(response.body.error).to.include('team context')
+
+        cy.log('✓ Requires team context')
+      })
+
+      billingAPI.setTeamId(originalTeamId)
+    })
+
+    it('CHECKOUT_API_014: Should reject invalid JSON', () => {
+      cy.request({
+        method: 'POST',
+        url: `${BASE_URL}/api/v1/billing/checkout`,
+        headers: {
+          ...billingAPI.getHeaders(),
+          'Content-Type': 'application/json'
+        },
+        body: 'invalid json',
+        failOnStatusCode: false
+      }).then((response) => {
+        expect(response.status).to.eq(400)
+        expect(response.body.success).to.be.false
+
+        cy.log('✓ Rejects invalid JSON')
+      })
+    })
+  })
+
+  // ============================================================
+  // TEST 3: Successful Checkout Creation
+  // ============================================================
+  describe('Checkout Session Creation', () => {
+    it('CHECKOUT_API_020: Should create checkout for pro plan monthly', () => {
+      allure.severity('critical')
+
+      billingAPI.createCheckout({
+        planSlug: 'pro',
+        billingPeriod: 'monthly'
+      }).then((response: any) => {
+        if (response.status === 200) {
+          billingAPI.validateCheckoutResponse(response)
+
+          expect(response.body.data.url).to.be.a('string')
+          expect(response.body.data.url.length).to.be.greaterThan(0)
+          expect(response.body.data.sessionId).to.be.a('string')
+
+          cy.log('✓ Checkout session created for pro monthly')
+          cy.log(`Session ID: ${response.body.data.sessionId}`)
+        } else if (response.status === 500) {
+          // Stripe not configured in test environment
+          expect(response.body.error).to.exist
+          cy.log('⚠ Stripe not configured (expected in test env)')
+          cy.log('✓ Endpoint structure correct')
+        } else {
+          throw new Error(`Unexpected status: ${response.status}`)
+        }
+      })
+    })
+
+    it('CHECKOUT_API_021: Should create checkout for pro plan yearly', () => {
+      billingAPI.createCheckout({
+        planSlug: 'pro',
+        billingPeriod: 'yearly'
+      }).then((response: any) => {
+        if (response.status === 200) {
+          expect(response.body.data.url).to.be.a('string')
+          expect(response.body.data.sessionId).to.be.a('string')
+
+          cy.log('✓ Checkout session created for pro yearly')
+        } else if (response.status === 500) {
+          cy.log('⚠ Stripe not configured (expected in test env)')
+        }
+      })
+    })
+
+    it('CHECKOUT_API_022: Should handle different plan slugs', () => {
+      const plans = ['free', 'pro', 'enterprise']
+
+      plans.forEach((planSlug) => {
+        billingAPI.createCheckout({
+          planSlug,
+          billingPeriod: 'monthly'
+        }).then((response: any) => {
+          // free plan might return error (no Stripe price)
+          // pro/enterprise might succeed or fail on Stripe config
+          expect([200, 400, 500]).to.include(response.status)
+
+          if (response.status === 200) {
+            cy.log(`✓ ${planSlug} plan checkout created`)
+          } else if (response.status === 400) {
+            cy.log(`✓ ${planSlug} plan rejected (might not have Stripe price)`)
+          } else {
+            cy.log(`✓ ${planSlug} plan handled (Stripe config issue)`)
+          }
+        })
+      })
+    })
+  })
+
+  // ============================================================
+  // TEST 4: Response Structure
+  // ============================================================
+  describe('Response Structure', () => {
+    it('CHECKOUT_API_030: Should return correct success response structure', () => {
+      billingAPI.createCheckout({
+        planSlug: 'pro',
+        billingPeriod: 'monthly'
+      }).then((response: any) => {
+        if (response.status === 200) {
+          expect(response.body).to.have.property('success', true)
+          expect(response.body).to.have.property('data')
+          expect(response.body.data).to.have.property('url')
+          expect(response.body.data).to.have.property('sessionId')
+
+          cy.log('✓ Success response structure valid')
+        } else {
+          cy.log('⚠ Skipped - Stripe not configured')
+        }
+      })
+    })
+
+    it('CHECKOUT_API_031: Should return error response structure on failure', () => {
+      billingAPI.createCheckout({
+        planSlug: 'nonexistent-plan',
+        billingPeriod: 'monthly'
+      }).then((response: any) => {
+        // Should fail with error
+        expect([400, 500]).to.include(response.status)
+        expect(response.body).to.have.property('success', false)
+        expect(response.body).to.have.property('error')
+        expect(response.body.error).to.be.a('string')
+
+        cy.log('✓ Error response structure valid')
+      })
+    })
+  })
+
+  // ============================================================
+  // TEST 5: Integration
+  // ============================================================
+  describe('Integration', () => {
+    it('CHECKOUT_API_100: Should complete checkout creation flow', () => {
+      allure.severity('critical')
+
+      const checkoutData = {
+        planSlug: 'pro',
+        billingPeriod: 'monthly'
+      }
+
+      cy.log('1. Creating checkout session...')
+
+      billingAPI.createCheckout(checkoutData).then((response: any) => {
+        cy.log(`   Status: ${response.status}`)
+
+        if (response.status === 200) {
+          cy.log('2. Checkout session created successfully')
+          cy.log(`   URL: ${response.body.data.url}`)
+          cy.log(`   Session ID: ${response.body.data.sessionId}`)
+
+          // In a real E2E test, you would:
+          // 3. Visit the checkout URL
+          // 4. Fill in test card details
+          // 5. Complete checkout
+          // 6. Verify webhook received
+          // 7. Verify subscription updated
+
+          cy.log('✓ Checkout creation flow completed')
+        } else {
+          cy.log('2. Stripe not configured in test environment')
+          cy.log('   This is expected - full E2E requires Stripe test mode')
+          cy.log('✓ Endpoint structure validated')
+        }
+      })
+    })
+  })
+
+  // ============================================================
+  // TEST 6: Edge Cases
+  // ============================================================
+  describe('Edge Cases', () => {
+    it('CHECKOUT_API_040: Should handle empty planSlug string', () => {
+      billingAPI.createCheckout({
+        planSlug: '',
+        billingPeriod: 'monthly'
+      }).then((response: any) => {
+        expect(response.status).to.eq(400)
+        expect(response.body.success).to.be.false
+
+        cy.log('✓ Rejects empty planSlug')
+      })
+    })
+
+    it('CHECKOUT_API_041: Should handle plan with no Stripe price configured', () => {
+      // Free plan typically has no Stripe price
+      billingAPI.createCheckout({
+        planSlug: 'free',
+        billingPeriod: 'monthly'
+      }).then((response: any) => {
+        // Should fail gracefully
+        expect([400, 500]).to.include(response.status)
+        expect(response.body.success).to.be.false
+        expect(response.body.error).to.exist
+
+        cy.log('✓ Handles plan without Stripe price')
+      })
+    })
+
+    it('CHECKOUT_API_042: Should accept both monthly and yearly periods', () => {
+      const periods = ['monthly', 'yearly']
+
+      periods.forEach((period) => {
+        billingAPI.createCheckout({
+          planSlug: 'pro',
+          billingPeriod: period
+        }).then((response: any) => {
+          // Should either succeed or fail on Stripe config
+          expect([200, 500]).to.include(response.status)
+
+          cy.log(`✓ ${period} period handled correctly`)
+        })
+      })
+    })
+  })
+})