@nexttylabs/echo 0.2.0

package/tests/api/organization-members.test.ts

@@ -0,0 +1,340 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { describe, expect, it } from "bun:test";
+import { buildRemoveMemberHandler } from "@/app/api/organizations/[orgId]/members/[memberId]/handler";
+import { buildUpdateMemberRoleHandler } from "@/app/api/organizations/[orgId]/members/[memberId]/handler";
+import { organizationMembers } from "@/lib/db/schema";
+
+type FakeDeps = Parameters<typeof buildRemoveMemberHandler>[0];
+
+type SelectLimitReturn = {
+  from: () => {
+    where: () => {
+      limit: (count: number) => Promise<Array<{ role: string }>>;
+    };
+  };
+};
+
+type SelectWhereReturn = {
+  from: () => {
+    where: () => Promise<Array<{ count: number }>>;
+  };
+};
+
+type DeleteReturn = {
+  where: () => Promise<void>;
+};
+
+type UpdateReturn = {
+  set: () => {
+    where: () => {
+      returning: () => Promise<Array<{ userId: string; role: string }>>;
+    };
+  };
+};
+
+type DepsOptions = {
+  sessionUserId?: string;
+  requesterRole?: string | null;
+  targetRole?: string | null;
+  adminCount?: number;
+};
+
+const makeDeps = (options: DepsOptions = {}) => {
+  const sessionUserId = options.sessionUserId ?? "user_1";
+  const requesterRole =
+    options.requesterRole === undefined ? "admin" : options.requesterRole;
+  const targetRole =
+    options.targetRole === undefined ? "member" : options.targetRole;
+  const adminCount = options.adminCount ?? 1;
+
+  const auth: FakeDeps["auth"] = {
+    api: {
+      getSession: async () => ({ user: { id: sessionUserId } }),
+    },
+  };
+
+  const memberResults: Array<Array<{ role: string }>> = [
+    requesterRole ? [{ role: requesterRole }] : [],
+    targetRole ? [{ role: targetRole }] : [],
+  ];
+
+  const select = (fields?: unknown) => {
+    if (fields) {
+      return {
+        from: () => ({
+          where: async () => [{ count: adminCount }],
+        }),
+      };
+    }
+
+    return {
+      from: () => ({
+        where: () => ({
+          limit: async () => memberResults.shift() ?? [],
+        }),
+      }),
+    };
+  };
+
+  let deleteCalled = false;
+  const del = (table?: unknown) => ({
+    where: async () => {
+      if (table === organizationMembers) {
+        deleteCalled = true;
+      }
+    },
+  });
+
+  const db: FakeDeps["db"] = {
+    select: select as unknown as () => SelectLimitReturn | SelectWhereReturn,
+    delete: del as unknown as () => DeleteReturn,
+  };
+
+  return {
+    auth,
+    db,
+    getDeleteCalled: () => deleteCalled,
+  } satisfies FakeDeps & { getDeleteCalled: () => boolean };
+};
+
+const makeUpdateDeps = (
+  options: DepsOptions & { updateResultRole?: string } = {},
+) => {
+  const base = makeDeps(options);
+  const updateRole = options.updateResultRole ?? "developer";
+
+  const update = () => ({
+    set: () => ({
+      where: () => ({
+        returning: async () => [{ userId: "user_2", role: updateRole }],
+      }),
+    }),
+  });
+
+  base.db.update = update as unknown as () => UpdateReturn;
+
+  return base;
+};
+
+describe("DELETE /api/organizations/:orgId/members/:memberId", () => {
+  it("rejects unauthenticated requests", async () => {
+    const deps = makeDeps();
+    deps.auth.api.getSession = async () => null;
+    const handler = buildRemoveMemberHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "DELETE",
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    expect(res.status).toBe(401);
+  });
+
+  it("rejects non-admin members", async () => {
+    const deps = makeDeps({ requesterRole: "member" });
+    const handler = buildRemoveMemberHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "DELETE",
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    expect(res.status).toBe(403);
+  });
+
+  it("rejects non-members", async () => {
+    const deps = makeDeps({ requesterRole: null });
+    const handler = buildRemoveMemberHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "DELETE",
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    expect(res.status).toBe(403);
+  });
+
+  it("returns 404 when target member missing", async () => {
+    const deps = makeDeps({ targetRole: null });
+    const handler = buildRemoveMemberHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "DELETE",
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    expect(res.status).toBe(404);
+  });
+
+  it("blocks removing the last admin", async () => {
+    const deps = makeDeps({ targetRole: "admin", adminCount: 1 });
+    const handler = buildRemoveMemberHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "DELETE",
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    const json = await res.json();
+    expect(res.status).toBe(400);
+    expect(json.error).toBe("组织至少需要一个管理员");
+  });
+
+  it("blocks self removal", async () => {
+    const deps = makeDeps({ sessionUserId: "user_2" });
+    const handler = buildRemoveMemberHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "DELETE",
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    const json = await res.json();
+    expect(res.status).toBe(400);
+    expect(json.error).toBe("不能移除自己");
+  });
+
+  it("removes member when allowed", async () => {
+    const deps = makeDeps({ targetRole: "member", adminCount: 2 });
+    const handler = buildRemoveMemberHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "DELETE",
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    expect(res.status).toBe(200);
+    expect(deps.getDeleteCalled()).toBe(true);
+  });
+
+  it("allows removing an admin when more than one admin exists", async () => {
+    const deps = makeDeps({ targetRole: "admin", adminCount: 2 });
+    const handler = buildRemoveMemberHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "DELETE",
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    expect(res.status).toBe(200);
+    expect(deps.getDeleteCalled()).toBe(true);
+  });
+});
+
+describe("PUT /api/organizations/:orgId/members/:memberId", () => {
+  it("rejects unauthenticated requests", async () => {
+    const deps = makeUpdateDeps();
+    deps.auth.api.getSession = async () => null;
+    const handler = buildUpdateMemberRoleHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "PUT",
+        body: JSON.stringify({ role: "developer" }),
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    expect(res.status).toBe(401);
+  });
+
+  it("rejects non-admin members", async () => {
+    const deps = makeUpdateDeps({ requesterRole: "member" });
+    const handler = buildUpdateMemberRoleHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "PUT",
+        body: JSON.stringify({ role: "developer" }),
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    expect(res.status).toBe(403);
+  });
+
+  it("rejects non-members", async () => {
+    const deps = makeUpdateDeps({ requesterRole: null });
+    const handler = buildUpdateMemberRoleHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "PUT",
+        body: JSON.stringify({ role: "developer" }),
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    expect(res.status).toBe(403);
+  });
+
+  it("returns 400 for invalid role", async () => {
+    const deps = makeUpdateDeps();
+    const handler = buildUpdateMemberRoleHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "PUT",
+        body: JSON.stringify({ role: "guest" }),
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    expect(res.status).toBe(400);
+  });
+
+  it("returns 404 when target member missing", async () => {
+    const deps = makeUpdateDeps({ targetRole: null });
+    const handler = buildUpdateMemberRoleHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "PUT",
+        body: JSON.stringify({ role: "developer" }),
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    expect(res.status).toBe(404);
+  });
+
+  it("blocks demoting the last admin", async () => {
+    const deps = makeUpdateDeps({ targetRole: "admin", adminCount: 1 });
+    const handler = buildUpdateMemberRoleHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "PUT",
+        body: JSON.stringify({ role: "developer" }),
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    const json = await res.json();
+    expect(res.status).toBe(400);
+    expect(json.error).toBe("组织至少需要一个管理员");
+  });
+
+  it("updates role when allowed", async () => {
+    const deps = makeUpdateDeps({
+      targetRole: "developer",
+      adminCount: 2,
+      updateResultRole: "product_manager",
+    });
+    const handler = buildUpdateMemberRoleHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations/org_1/members/user_2", {
+        method: "PUT",
+        body: JSON.stringify({ role: "product_manager" }),
+      }),
+      { params: { orgId: "org_1", memberId: "user_2" } },
+    );
+    const json = await res.json();
+    expect(res.status).toBe(200);
+    expect(json.data.role).toBe("product_manager");
+  });
+});

package/tests/api/organizations.test.ts

@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { describe, it, expect } from "bun:test";
+import { buildCreateOrganizationHandler } from "@/app/api/organizations/handler";
+import { organizations } from "@/lib/db/schema";
+
+type FakeDeps = Parameters<typeof buildCreateOrganizationHandler>[0];
+
+type SelectReturn = {
+  from: () => {
+    where: () => {
+      limit: (count: number) => Promise<unknown[]>;
+    };
+  };
+};
+
+type InsertReturn = {
+  values: (values: Record<string, unknown>) => {
+    returning: () => Promise<Array<{ id: string; slug: string }>>;
+  };
+};
+
+const makeDeps = () => {
+  const auth: FakeDeps["auth"] = {
+    api: {
+      getSession: async () => ({ user: { id: "user_1", role: "admin" } }),
+    },
+  };
+
+  const select = () => ({
+    from: () => ({
+      where: () => ({
+        limit: async () => [],
+      }),
+    }),
+  });
+
+  let organizationValues: Record<string, unknown> | null = null;
+
+  const insert = (table?: unknown) => ({
+    values: (values: Record<string, unknown>) => {
+      if (table === organizations) {
+        organizationValues = values;
+      }
+      return {
+        returning: async () => [{ id: "org_1", slug: "acme-1234" }],
+      };
+    },
+  });
+
+  const db: FakeDeps["db"] = {
+    select: select as unknown as () => SelectReturn,
+    transaction: async (fn) =>
+      fn({
+        insert: insert as unknown as () => InsertReturn,
+      }),
+  };
+
+  return { auth, db, getOrganizationValues: () => organizationValues } satisfies FakeDeps &
+    {
+      getOrganizationValues: () => Record<string, unknown> | null;
+    };
+};
+
+const makeDepsWithCollision = () => {
+  const deps = makeDeps();
+  let callCount = 0;
+  const select = () => ({
+    from: () => ({
+      where: () => ({
+        limit: async () => {
+          callCount += 1;
+          return callCount === 1 ? [{ id: "org_existing" }] : [];
+        },
+      }),
+    }),
+  });
+
+  deps.db.select = select as unknown as () => SelectReturn;
+  return deps;
+};
+
+describe("POST /api/organizations", () => {
+  it("rejects unauthenticated requests", async () => {
+    const deps = makeDeps();
+    deps.auth.api.getSession = async () => null;
+    const handler = buildCreateOrganizationHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations", { method: "POST" }),
+    );
+    expect(res.status).toBe(401);
+  });
+
+  it("creates organization and admin membership", async () => {
+    const deps = makeDeps();
+    const handler = buildCreateOrganizationHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations", {
+        method: "POST",
+        body: JSON.stringify({ name: "Acme", description: "Test" }),
+      }),
+    );
+    const json = await res.json();
+    expect(res.status).toBe(201);
+    expect(json.data.slug).toBeDefined();
+    expect(deps.getOrganizationValues()?.description).toBe("Test");
+  });
+
+  it("retries slug generation when collision occurs", async () => {
+    const handler = buildCreateOrganizationHandler(makeDepsWithCollision());
+    const res = await handler(
+      new Request("http://localhost/api/organizations", {
+        method: "POST",
+        body: JSON.stringify({ name: "Acme" }),
+      }),
+    );
+    expect(res.status).toBe(201);
+  });
+
+  it("returns 403 for non-admin users", async () => {
+    const deps = makeDeps();
+    deps.auth.api.getSession = async () => ({
+      user: { id: "user_1", role: "customer" },
+    });
+    const handler = buildCreateOrganizationHandler(deps);
+    const res = await handler(
+      new Request("http://localhost/api/organizations", {
+        method: "POST",
+        body: JSON.stringify({ name: "Acme" }),
+      }),
+    );
+    expect(res.status).toBe(403);
+  });
+});

package/tests/api/register.test.ts

@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { describe, it, expect } from "bun:test";
+import { APIError } from "better-auth/api";
+import { buildRegisterHandler } from "@/app/api/auth/register/handler";
+
+type FakeDeps = Parameters<typeof buildRegisterHandler>[0];
+
+const makeDeps = () => {
+  const auth: FakeDeps["auth"] = {
+    api: {
+      signUpEmail: async () => ({
+        headers: new Headers({
+          "set-cookie": "session=token; Path=/; HttpOnly",
+        }),
+        response: {
+          token: "token",
+          user: { id: "user_1", email: "john@example.com", name: "John" },
+        },
+      }),
+    },
+  };
+
+  const db: FakeDeps["db"] = {
+    transaction: async (fn) =>
+      fn({
+        insert: () => ({ values: () => ({ execute: async () => {} }) }),
+      }),
+    delete: () => ({ where: () => ({ execute: async () => {} }) }),
+  };
+
+  return { auth, db } satisfies FakeDeps;
+};
+
+describe("POST /api/auth/register", () => {
+  it("registers a user and sets cookie", async () => {
+    const handler = buildRegisterHandler(makeDeps());
+    const req = new Request("http://localhost/api/auth/register", {
+      method: "POST",
+      body: JSON.stringify({
+        name: "John",
+        email: "john@example.com",
+        password: "Password123",
+      }),
+    });
+
+    const res = await handler(req);
+    const json = await res.json();
+
+    expect(res.status).toBe(201);
+    expect(json.data.user.email).toBe("john@example.com");
+    expect(res.headers.get("set-cookie")).toContain("session=");
+  });
+
+  it("returns 409 when email exists", async () => {
+    const deps = makeDeps();
+    deps.auth.api.signUpEmail = async () => {
+      throw new APIError("UNPROCESSABLE_ENTITY", {
+        message: "User already exists. Use another email.",
+      });
+    };
+
+    const handler = buildRegisterHandler(deps);
+    const req = new Request("http://localhost/api/auth/register", {
+      method: "POST",
+      body: JSON.stringify({
+        name: "John",
+        email: "john@example.com",
+        password: "Password123",
+      }),
+    });
+
+    const res = await handler(req);
+    const json = await res.json();
+
+    expect(res.status).toBe(409);
+    expect(json.code).toBe("EMAIL_EXISTS");
+  });
+
+  it("validates email and password", async () => {
+    const handler = buildRegisterHandler(makeDeps());
+    const req = new Request("http://localhost/api/auth/register", {
+      method: "POST",
+      body: JSON.stringify({
+        name: "John",
+        email: "bad-email",
+        password: "weak",
+      }),
+    });
+
+    const res = await handler(req);
+    const json = await res.json();
+
+    expect(res.status).toBe(400);
+    expect(json.code).toBe("VALIDATION_ERROR");
+  });
+});

package/tests/api/upload.test.ts

@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { describe, expect, it } from "bun:test";
+import { buildUploadHandler } from "@/app/api/upload/handler";
+import { attachments } from "@/lib/db/schema";
+
+const makeDeps = () => {
+  const inserted: Record<string, unknown>[] = [];
+  const db = {
+    insert: (table?: unknown) => ({
+      values: (values: Record<string, unknown>) => {
+        if (table === attachments) {
+          inserted.push(values);
+        }
+        return {
+          returning: async () => [
+            {
+              attachmentId: 1,
+              ...values,
+              createdAt: new Date(),
+            },
+          ],
+        };
+      },
+    }),
+  };
+
+  const saveFile = async (file: File) => ({
+    fileName: file.name,
+    filePath: `uploads/${file.name}`,
+    fullPath: `/tmp/${file.name}`,
+  });
+
+  const validateFile = (file: File) =>
+    file.type === "text/plain"
+      ? { valid: false, error: "不支持的文件类型", code: "INVALID_FILE_TYPE" as const }
+      : { valid: true, mimeType: file.type as "image/png" };
+
+  return { db, saveFile, validateFile, inserted };
+};
+
+describe("POST /api/upload", () => {
+  it("rejects invalid file types", async () => {
+    const deps = makeDeps();
+    deps.validateFile = () => ({
+      valid: false,
+      error: "不支持的文件类型",
+      code: "INVALID_FILE_TYPE",
+    });
+    const handler = buildUploadHandler(deps);
+
+    const form = new FormData();
+    form.append("files", new File(["x"], "bad.txt", { type: "text/plain" }));
+    form.append("feedbackId", "1");
+
+    const res = await handler(
+      new Request("http://localhost/api/upload", {
+        method: "POST",
+        body: form,
+      }),
+    );
+
+    const json = await res.json();
+    expect(res.status).toBe(400);
+    expect(json.code).toBe("VALIDATION_ERROR");
+  });
+
+  it("uploads valid files", async () => {
+    const deps = makeDeps();
+    const handler = buildUploadHandler(deps);
+
+    const form = new FormData();
+    form.append("files", new File(["x"], "good.png", { type: "image/png" }));
+    form.append("feedbackId", "1");
+
+    const res = await handler(
+      new Request("http://localhost/api/upload", {
+        method: "POST",
+        body: form,
+      }),
+    );
+
+    const json = await res.json();
+    expect(res.status).toBe(201);
+    expect(json.data[0].attachmentId).toBe(1);
+    expect(deps.inserted.length).toBe(1);
+  });
+});