@nextsparkjs/theme-default 0.1.0-beta.44 → 0.1.0-beta.45

package/tests/cypress/e2e/api/_core/teams/teams-security.cy.ts

@@ -0,0 +1,415 @@
+/**
+ * Teams API - Security Tests
+ *
+ * Tests for security vulnerabilities in Teams PATCH endpoint:
+ * - Issue #1: Type coercion vulnerability (empty strings, 0, false, null)
+ * - Issue #2: Permission check order (owner-only fields)
+ * - Issue #3: Schema validation (owner vs non-owner schemas)
+ *
+ * Uses existing sample data users:
+ * - Owner: Carlos Mendoza (team-everpoint-001)
+ * - Admin: James Wilson (team-everpoint-001)
+ * - Member: Emily Johnson (team-everpoint-001)
+ *
+ * @tags @api @teams @security
+ */
+
+import * as allure from 'allure-cypress'
+import { loginAsOwner, loginAsAdmin, loginAsMember, BILLING_TEAMS } from '../../../../src/session-helpers'
+
+describe('Teams API - Security Tests', { tags: ['@api', '@teams', '@security'] }, () => {
+  // Use Everpoint Labs team from sample data (Carlos is owner, James is admin, Emily is member)
+  const TEST_TEAM_ID = BILLING_TEAMS.PRO.teamId // team-everpoint-001
+  const BASE_URL = Cypress.config('baseUrl') || 'http://localhost:3000'
+
+  beforeEach(() => {
+    allure.epic('API')
+    allure.feature('Teams')
+    allure.story('Security & Permission Enforcement')
+  })
+
+  describe('Issue #1: Type Coercion Vulnerability', () => {
+    context('As Admin (non-owner)', () => {
+      beforeEach(() => {
+        loginAsAdmin()
+        cy.visit('/dashboard') // Required for session cookies
+      })
+
+      it('SEC_TEAMS_001: Should reject PATCH with empty string for name', { tags: '@smoke' }, () => {
+        allure.severity('critical')
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { name: '' },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.success).to.be.false
+          expect(response.body.error).to.include('owner')
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+        })
+      })
+
+      it('SEC_TEAMS_002: Should reject PATCH with null for description', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { description: null },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.success).to.be.false
+          expect(response.body.error).to.include('owner')
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+        })
+      })
+
+      it('SEC_TEAMS_003: Should reject PATCH with number (0) for name', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { name: 0 },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.success).to.be.false
+          expect(response.body.error).to.include('owner')
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+        })
+      })
+
+      it('SEC_TEAMS_004: Should reject PATCH with boolean (false) for description', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { description: false },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.success).to.be.false
+          expect(response.body.error).to.include('owner')
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+        })
+      })
+
+      it('SEC_TEAMS_005: Should reject PATCH with whitespace-only name', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { name: '   ' },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.success).to.be.false
+          expect(response.body.error).to.include('owner')
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+        })
+      })
+    })
+
+    context('As Member (non-owner)', () => {
+      beforeEach(() => {
+        loginAsMember()
+        cy.visit('/dashboard') // Required for session cookies
+      })
+
+      it('SEC_TEAMS_006: Should reject PATCH with empty string for name', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { name: '' },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.success).to.be.false
+          expect(response.body.error).to.include('owner')
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+        })
+      })
+
+      it('SEC_TEAMS_007: Should reject PATCH with description update', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { description: 'New description' },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.success).to.be.false
+          expect(response.body.error).to.include('owner')
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+        })
+      })
+    })
+  })
+
+  describe('Issue #2: Permission Check Order', () => {
+    context('Admin user (non-owner)', () => {
+      beforeEach(() => {
+        loginAsAdmin()
+        cy.visit('/dashboard')
+      })
+
+      it('SEC_TEAMS_010: Should return 403 with OWNER_ONLY reason when trying to update name', { tags: '@smoke' }, () => {
+        allure.severity('critical')
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { name: 'New Name by Admin' },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.success).to.be.false
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+          expect(response.body.error).to.include('Only team owner')
+          expect(response.body.error).to.not.include('generic')
+        })
+      })
+
+      it('SEC_TEAMS_011: Should return 403 with OWNER_ONLY reason when trying to update description', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { description: 'New Description by Admin' },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.success).to.be.false
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+          expect(response.body.error).to.include('Only team owner')
+        })
+      })
+
+      it('SEC_TEAMS_012: Should return specific error, not generic permission error', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { name: 'Test' },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+          // Should NOT be generic "teams.update" permission error
+          expect(response.body.reason).to.not.eq('INSUFFICIENT_PERMISSIONS')
+        })
+      })
+    })
+
+    context('Member user (non-owner)', () => {
+      beforeEach(() => {
+        loginAsMember()
+        cy.visit('/dashboard')
+      })
+
+      it('SEC_TEAMS_013: Should return 403 with OWNER_ONLY reason when trying to update name', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { name: 'New Name by Member' },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.success).to.be.false
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+        })
+      })
+    })
+  })
+
+  describe('Issue #3: Schema Validation (Owner vs Non-Owner)', () => {
+    context('Owner updates', () => {
+      beforeEach(() => {
+        loginAsOwner()
+        cy.visit('/dashboard')
+      })
+
+      it('SEC_TEAMS_020: Should use ownerUpdateTeamSchema for name updates', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { name: 'A' }, // Too short (min 2 chars)
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(400)
+          expect(response.body.success).to.be.false
+          expect(response.body.code).to.eq('VALIDATION_ERROR')
+          expect(response.body.error).to.include('at least 2 characters')
+        })
+      })
+
+      it('SEC_TEAMS_021: Should use ownerUpdateTeamSchema for description updates', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { description: null },
+          failOnStatusCode: false,
+        }).then((response) => {
+          // Should accept null for description
+          expect(response.status).to.eq(200)
+          expect(response.body.success).to.be.true
+        })
+      })
+
+      it('SEC_TEAMS_022: Should allow valid owner updates', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: {
+            name: 'Everpoint Labs Updated',
+            description: 'Updated description',
+          },
+        }).then((response) => {
+          expect(response.status).to.eq(200)
+          expect(response.body.success).to.be.true
+          expect(response.body.data.name).to.eq('Everpoint Labs Updated')
+          expect(response.body.data.description).to.eq('Updated description')
+        })
+      })
+
+      // Restore original name
+      after(() => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { name: 'Everpoint Labs' },
+        })
+      })
+    })
+
+    context('Admin updates (non-owner fields only)', () => {
+      beforeEach(() => {
+        loginAsAdmin()
+        cy.visit('/dashboard')
+      })
+
+      it('SEC_TEAMS_023: Should reject name/description fields before schema validation', () => {
+        // Should fail with 403 OWNER_ONLY, not 400 VALIDATION_ERROR
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { name: 'Test' },
+          failOnStatusCode: false,
+        }).then((response) => {
+          expect(response.status).to.eq(403)
+          expect(response.body.reason).to.eq('OWNER_ONLY')
+          // Should NOT reach schema validation
+          expect(response.body.code).to.not.eq('VALIDATION_ERROR')
+        })
+      })
+
+      it('SEC_TEAMS_024: Should allow slug updates by admin', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { slug: 'everpoint-labs-new' },
+          failOnStatusCode: false,
+        }).then((response) => {
+          // Current implementation: Admins can update slug
+          // If this fails, it means the permission system is correctly restricting admin slug updates
+          // We document both expected behaviors here
+          if (response.status === 200) {
+            expect(response.body.success).to.be.true
+            cy.log('✅ Admins CAN update slug (current behavior)')
+          } else if (response.status === 403) {
+            expect(response.body.reason).to.eq('OWNER_ONLY')
+            cy.log('✅ Admins CANNOT update slug (stricter behavior)')
+          }
+        })
+      })
+
+      it('SEC_TEAMS_025: Should allow avatarUrl updates by admin', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { avatarUrl: 'https://example.com/avatar.png' },
+          failOnStatusCode: false,
+        }).then((response) => {
+          // Similar to slug, this documents expected behavior
+          if (response.status === 200) {
+            expect(response.body.success).to.be.true
+            cy.log('✅ Admins CAN update avatarUrl (current behavior)')
+          } else if (response.status === 403) {
+            expect(response.body.reason).to.eq('OWNER_ONLY')
+            cy.log('✅ Admins CANNOT update avatarUrl (stricter behavior)')
+          }
+        })
+      })
+    })
+  })
+
+  describe('Issue #10: Description Max Length Documentation', () => {
+    context('Owner updates', () => {
+      beforeEach(() => {
+        loginAsOwner()
+        cy.visit('/dashboard')
+      })
+
+      it('SEC_TEAMS_030: Should accept very long descriptions (TEXT type, no limit)', () => {
+        const longDescription = 'A'.repeat(10000) // 10KB text
+
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { description: longDescription },
+        }).then((response) => {
+          expect(response.status).to.eq(200)
+          expect(response.body.success).to.be.true
+          expect(response.body.data.description).to.eq(longDescription)
+        })
+      })
+
+      it('SEC_TEAMS_031: Should accept null for description', () => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { description: null },
+        }).then((response) => {
+          expect(response.status).to.eq(200)
+          expect(response.body.success).to.be.true
+          expect(response.body.data.description).to.be.null
+        })
+      })
+
+      // Restore original description
+      after(() => {
+        cy.request({
+          method: 'PATCH',
+          url: `/api/v1/teams/${TEST_TEAM_ID}`,
+          body: { description: 'Enabling digital innovation through scalable platforms' },
+        })
+      })
+    })
+  })
+
+  describe('Dual Authentication Support', () => {
+    it('SEC_TEAMS_040: Should accept session-based auth for owner', () => {
+      loginAsOwner()
+      cy.visit('/dashboard')
+
+      cy.request({
+        method: 'PATCH',
+        url: `/api/v1/teams/${TEST_TEAM_ID}`,
+        body: { description: 'Session Auth Test' },
+      }).then((response) => {
+        expect(response.status).to.eq(200)
+        expect(response.body.success).to.be.true
+      })
+    })
+
+    it('SEC_TEAMS_041: Should reject request without auth', () => {
+      cy.clearAllSessionStorage()
+      cy.clearAllCookies()
+
+      cy.request({
+        method: 'PATCH',
+        url: `/api/v1/teams/${TEST_TEAM_ID}`,
+        body: { name: 'No Auth Test' },
+        failOnStatusCode: false,
+      }).then((response) => {
+        expect(response.status).to.eq(401)
+        expect(response.body.success).to.be.false
+        expect(response.body.code).to.eq('AUTHENTICATION_FAILED')
+      })
+    })
+  })
+})

package/tests/cypress/e2e/uat/_core/teams/inline-edit.cy.ts

@@ -0,0 +1,278 @@
+/// <reference types="cypress" />
+
+/**
+ * Inline Team Editing - E2E Tests
+ *
+ * Tests for inline editing of team name and description.
+ * Validates owner-only access and proper UI behavior.
+ *
+ * @see PR#1 for feature context
+ * @session 2026-01-11-pr1-translations-pom-fixes-v1
+ */
+
+import * as allure from 'allure-cypress'
+
+import { DevKeyringPOM } from '../../../../src/components/DevKeyringPOM'
+import { SettingsPOM } from '../../../../src/features/SettingsPOM'
+
+// Test users
+const USERS = {
+  OWNER: 'superadmin@cypress.com',    // Team owner (superadmin)
+  MEMBER: 'developer@cypress.com',    // Team member (developer - not owner of default team)
+}
+
+describe('Inline Team Editing', {
+  tags: ['@uat', '@feat-teams', '@team-settings', '@regression']
+}, () => {
+  const settings = SettingsPOM.create()
+
+  beforeEach(() => {
+    allure.epic('UAT')
+    allure.feature('Teams')
+    allure.story('Inline Team Editing')
+  })
+
+  // ============================================
+  // Owner Can Edit
+  // ============================================
+
+  describe('Owner Can Edit', () => {
+    beforeEach(() => {
+      cy.session('carlos-owner-inline-edit', () => {
+        cy.visit('/login')
+        const devKeyring = DevKeyringPOM.create()
+        devKeyring.validateVisible()
+        devKeyring.quickLoginByEmail(USERS.OWNER)
+        cy.url().should('include', '/dashboard')
+      })
+      cy.visit('/dashboard/settings/team', { timeout: 60000, failOnStatusCode: false })
+      settings.waitForTeam()
+    })
+
+    it('TEAM_EDIT_001: Owner can see edit buttons for name and description', { tags: '@smoke' }, () => {
+      allure.severity('critical')
+      allure.description('Verify that team owners can see edit icons for both team name and description fields')
+
+      settings.assertTeamNameEditable()
+      settings.assertTeamDescriptionEditable()
+    })
+
+    it('TEAM_EDIT_002: Owner can edit and save team name', () => {
+      allure.severity('critical')
+      allure.description('Verify that team owners can successfully edit and save the team name')
+
+      const newName = `Test Team ${Date.now()}`
+
+      settings.editAndSaveTeamName(newName)
+
+      // Wait for success feedback
+      cy.wait(500)
+
+      // Verify the new name is displayed
+      settings.getTeamNameText().should('contain', newName)
+    })
+
+    it('TEAM_EDIT_003: Owner can edit and save team description', () => {
+      allure.severity('critical')
+      allure.description('Verify that team owners can successfully edit and save the team description')
+
+      const newDesc = `Updated description ${Date.now()}`
+
+      settings.editAndSaveTeamDescription(newDesc)
+
+      // Wait for success feedback
+      cy.wait(500)
+
+      // Verify the new description is displayed
+      settings.getTeamDescriptionText().should('contain', newDesc)
+    })
+
+    it('TEAM_EDIT_004: Cancel editing team name preserves original value', () => {
+      allure.severity('normal')
+      allure.description('Verify that canceling team name editing does not save changes')
+
+      // Get original name
+      settings.getTeamNameText().then((originalName) => {
+        // Start editing
+        settings.editTeamName()
+        settings.typeTeamName('Changed Name That Should Not Save')
+        settings.cancelTeamName()
+
+        // Verify original name is preserved
+        settings.getTeamNameText().should('equal', originalName)
+      })
+    })
+
+    it('TEAM_EDIT_005: Cancel editing team description preserves original value', () => {
+      allure.severity('normal')
+      allure.description('Verify that canceling team description editing does not save changes')
+
+      // Get original description
+      settings.getTeamDescriptionText().then((originalDesc) => {
+        // Start editing
+        settings.editTeamDescription()
+        settings.typeTeamDescription('Changed description that should not save')
+        settings.cancelTeamDescription()
+
+        // Verify original description is preserved
+        settings.getTeamDescriptionText().should('equal', originalDesc)
+      })
+    })
+  })
+
+  // ============================================
+  // Member Cannot Edit
+  // ============================================
+
+  describe('Member Cannot Edit', () => {
+    beforeEach(() => {
+      cy.session('emily-member-inline-edit', () => {
+        cy.visit('/login')
+        const devKeyring = DevKeyringPOM.create()
+        devKeyring.validateVisible()
+        devKeyring.quickLoginByEmail(USERS.MEMBER)
+        cy.url().should('include', '/dashboard')
+      })
+      cy.visit('/dashboard/settings/team', { timeout: 60000, failOnStatusCode: false })
+      settings.waitForTeam()
+    })
+
+    it('TEAM_EDIT_010: Member cannot see edit button for team name', { tags: '@smoke' }, () => {
+      allure.severity('critical')
+      allure.description('Verify that non-owner team members cannot see edit icons for team name')
+
+      settings.assertTeamNameNotEditable()
+    })
+
+    it('TEAM_EDIT_011: Member cannot see edit button for team description', { tags: '@smoke' }, () => {
+      allure.severity('critical')
+      allure.description('Verify that non-owner team members cannot see edit icons for team description')
+
+      settings.assertTeamDescriptionNotEditable()
+    })
+  })
+
+  // ============================================
+  // Validation Tests
+  // ============================================
+
+  describe('Validation', () => {
+    beforeEach(() => {
+      cy.session('carlos-validation-inline-edit', () => {
+        cy.visit('/login')
+        const devKeyring = DevKeyringPOM.create()
+        devKeyring.validateVisible()
+        devKeyring.quickLoginByEmail(USERS.OWNER)
+        cy.url().should('include', '/dashboard')
+      })
+      cy.visit('/dashboard/settings/team', { timeout: 60000, failOnStatusCode: false })
+      settings.waitForTeam()
+    })
+
+    it('TEAM_EDIT_020: Name validation - minimum length (2 characters)', () => {
+      allure.severity('normal')
+      allure.description('Verify that team name must have at least 2 characters')
+
+      // Click edit, enter single character, try to save
+      settings.editTeamName()
+      settings.typeTeamName('A')
+      settings.saveTeamName()
+
+      // Should show validation error (in any locale)
+      cy.contains(/at least 2|mindestens 2|almeno 2|pelo menos 2|au moins 2|mínimo 2/i, { timeout: 5000 })
+        .should('be.visible')
+    })
+
+    it('TEAM_EDIT_021: Empty team name shows validation error', () => {
+      allure.severity('normal')
+      allure.description('Verify that team name cannot be empty')
+
+      // Click edit, clear input, try to save
+      settings.editTeamName()
+      cy.get(settings.selectors.teamEditNameInput).clear()
+      settings.saveTeamName()
+
+      // Should show validation error (in any locale)
+      cy.contains(/required|erforderlich|obbligatorio|obrigatório|requis/i, { timeout: 5000 })
+        .should('be.visible')
+    })
+
+    it('TEAM_EDIT_022: Empty team description is allowed', () => {
+      allure.severity('normal')
+      allure.description('Verify that team description can be empty (optional field)')
+
+      // Click edit, clear textarea, save
+      settings.editTeamDescription()
+      cy.get(settings.selectors.teamEditDescriptionTextarea).clear()
+      settings.saveTeamDescription()
+
+      // Wait for save to complete
+      cy.wait(500)
+
+      // No error should appear - description is optional
+      cy.get(settings.selectors.teamEditDescriptionError).should('not.exist')
+    })
+
+    it('TEAM_EDIT_023: Name validation - maximum length (100 characters)', () => {
+      allure.severity('normal')
+      allure.description('Verify that team name cannot exceed 100 characters')
+
+      const longName = 'A'.repeat(101) // 101 characters
+
+      settings.editTeamName()
+      settings.typeTeamName(longName)
+      settings.saveTeamName()
+
+      // Should show validation error (in any locale)
+      cy.contains(/maximum|maximal|massimo|máximo/i, { timeout: 5000 })
+        .should('be.visible')
+    })
+  })
+
+  // ============================================
+  // Multi-Locale Tests
+  // ============================================
+
+  describe('Multi-Locale Support', () => {
+    const locales = [
+      { code: 'de', name: 'German' },
+      { code: 'fr', name: 'French' },
+      { code: 'it', name: 'Italian' },
+      { code: 'pt', name: 'Portuguese' },
+    ]
+
+    locales.forEach(({ code, name }) => {
+      it(`TEAM_EDIT_030_${code.toUpperCase()}: Inline editing works in ${name} locale`, () => {
+        allure.severity('normal')
+        allure.description(`Verify that inline team editing displays correctly in ${name} locale`)
+
+        // Login as owner
+        cy.session(`carlos-locale-${code}`, () => {
+          cy.visit('/login')
+          const devKeyring = DevKeyringPOM.create()
+          devKeyring.validateVisible()
+          devKeyring.quickLoginByEmail(USERS.OWNER)
+          cy.url().should('include', '/dashboard')
+        })
+
+        // Visit with locale query param
+        cy.visit(`/dashboard/settings/team?locale=${code}`, { timeout: 60000, failOnStatusCode: false })
+        settings.waitForTeam()
+
+        // Verify edit icons are visible (selectors are locale-independent)
+        settings.assertTeamNameEditable()
+        settings.assertTeamDescriptionEditable()
+
+        // Test editing flow
+        const testName = `Test ${name} ${Date.now()}`
+        settings.editAndSaveTeamName(testName)
+
+        // Wait for save
+        cy.wait(500)
+
+        // Verify new name appears
+        settings.getTeamNameText().should('contain', testName)
+      })
+    })
+  })
+})