@tellescope/sdk 1.248.0 → 1.249.0

package/src/tests/api_tests/enduser_session_invalidation.test.ts

@@ -113,6 +113,229 @@ export const enduser_session_invalidation_tests = async ({ sdk, sdkNonAdmin } :
       console.error('Cleanup error:', error)
     }
   }
+
+  // --- OTP enablement invalidation tests ---
+
+  log_header("OTP Enablement Session Invalidation Tests")
+
+  // Helper to reset OTP settings
+  const resetOTPSettings = async (s: Session) => {
+    await s.api.organizations.updateOne(s.userInfo.businessId, {
+      portalSettings: { authentication: { requireOTP: false, requireOTPAfterPassword: false } },
+    }, { replaceObjectFields: true })
+  }
+
+  // Ensure OTP is off and db is clean before starting
+  await sdk.reset_db()
+  await wait(undefined, 500)
+  await resetOTPSettings(sdk)
+
+  try {
+
+  // Test 6: Enabling requireOTP invalidates multiple enduser sessions at once
+  await async_test(
+    'enabling requireOTP invalidates multiple enduser sessions',
+    async () => {
+      const endusers = await Promise.all([
+        sdk.api.endusers.createOne({ email: `otp-bulk-1-${Date.now()}@tellescope.com` }),
+        sdk.api.endusers.createOne({ email: `otp-bulk-2-${Date.now()}@tellescope.com` }),
+        sdk.api.endusers.createOne({ email: `otp-bulk-3-${Date.now()}@tellescope.com` }),
+      ])
+      try {
+        const tokens = await Promise.all(
+          endusers.map(e => sdk.api.endusers.generate_auth_token({ id: e.id, overrideOTP: true }))
+        )
+        const sessions = tokens.map(t => new EnduserSession({ host, authToken: t.authToken, businessId: sdk.userInfo.businessId }))
+
+        // Verify all tokens work
+        for (const s of sessions) {
+          await s.test_authenticated()
+        }
+
+        await wait(undefined, 2000)
+
+        // Enable OTP
+        await sdk.api.organizations.updateOne(sdk.userInfo.businessId, {
+          portalSettings: { authentication: { requireOTP: true } },
+        })
+
+        // Wait for side effect to process
+        await wait(undefined, 1000)
+
+        // All old tokens should be rejected
+        for (const s of sessions) {
+          try {
+            await s.test_authenticated()
+            return 'should have thrown'
+          } catch (e) { /* expected */ }
+        }
+
+        // New tokens should work
+        await wait(undefined, 2000)
+        for (const e of endusers) {
+          const { authToken: newToken } = await sdk.api.endusers.generate_auth_token({ id: e.id, overrideOTP: true })
+          const newSession = new EnduserSession({ host, authToken: newToken, businessId: sdk.userInfo.businessId })
+          await newSession.test_authenticated()
+        }
+
+        return 'passed'
+      } finally {
+        await resetOTPSettings(sdk)
+        for (const e of endusers) {
+          await sdk.api.endusers.deleteOne(e.id).catch(console.error)
+        }
+      }
+    },
+    { expectedResult: 'passed' }
+  )
+
+  // Test 7: Enabling requireOTPAfterPassword invalidates multiple enduser sessions
+  await async_test(
+    'enabling requireOTPAfterPassword invalidates multiple enduser sessions',
+    async () => {
+      const endusers = await Promise.all([
+        sdk.api.endusers.createOne({ email: `otp-mfa-1-${Date.now()}@tellescope.com` }),
+        sdk.api.endusers.createOne({ email: `otp-mfa-2-${Date.now()}@tellescope.com` }),
+      ])
+      try {
+        const tokens = await Promise.all(
+          endusers.map(e => sdk.api.endusers.generate_auth_token({ id: e.id, overrideOTP: true }))
+        )
+        const sessions = tokens.map(t => new EnduserSession({ host, authToken: t.authToken, businessId: sdk.userInfo.businessId }))
+
+        for (const s of sessions) {
+          await s.test_authenticated()
+        }
+
+        await wait(undefined, 2000)
+
+        await sdk.api.organizations.updateOne(sdk.userInfo.businessId, {
+          portalSettings: { authentication: { requireOTPAfterPassword: true } },
+        })
+
+        await wait(undefined, 1000)
+
+        for (const s of sessions) {
+          try {
+            await s.test_authenticated()
+            return 'should have thrown'
+          } catch (e) { /* expected */ }
+        }
+
+        // New tokens work
+        await wait(undefined, 2000)
+        for (const e of endusers) {
+          const { authToken: newToken } = await sdk.api.endusers.generate_auth_token({ id: e.id, overrideOTP: true })
+          const newSession = new EnduserSession({ host, authToken: newToken, businessId: sdk.userInfo.businessId })
+          await newSession.test_authenticated()
+        }
+
+        return 'passed'
+      } finally {
+        await resetOTPSettings(sdk)
+        for (const e of endusers) {
+          await sdk.api.endusers.deleteOne(e.id).catch(console.error)
+        }
+      }
+    },
+    { expectedResult: 'passed' }
+  )
+
+  // Reset rate limiting state before continuing
+  await sdk.reset_db()
+  await wait(undefined, 500)
+
+  // Test 8: Disabling OTP does NOT invalidate sessions
+  await async_test(
+    'disabling OTP does not invalidate sessions',
+    async () => {
+      // Enable OTP first
+      await sdk.api.organizations.updateOne(sdk.userInfo.businessId, {
+        portalSettings: { authentication: { requireOTP: true } },
+      })
+
+      await wait(undefined, 2000)
+
+      // Create enduser and token AFTER OTP is enabled (so token is valid)
+      const enduser = await sdk.api.endusers.createOne({ email: `otp-disable-${Date.now()}@tellescope.com` })
+      try {
+        const { authToken } = await sdk.api.endusers.generate_auth_token({ id: enduser.id, overrideOTP: true })
+        const enduserSession = new EnduserSession({ host, authToken, businessId: sdk.userInfo.businessId })
+        await enduserSession.test_authenticated()
+
+        await wait(undefined, 2000)
+
+        // Disable OTP
+        await sdk.api.organizations.updateOne(sdk.userInfo.businessId, {
+          portalSettings: { authentication: { requireOTP: false } },
+        }, { replaceObjectFields: true })
+
+        await wait(undefined, 1000)
+
+        // Old token should still work (disabling OTP should not invalidate)
+        return await enduserSession.test_authenticated()
+      } finally {
+        await resetOTPSettings(sdk)
+        await sdk.api.endusers.deleteOne(enduser.id).catch(console.error)
+      }
+    },
+    { expectedResult: 'Authenticated!' }
+  )
+
+  // Test 9: OTP invalidation is scoped to the updated organization only (multi-tenant)
+  await async_test(
+    'OTP invalidation is scoped to the updated organization only',
+    async () => {
+      const sdkOther = new Session({ host, apiKey: "ba745e25162bb95a795c5fa1af70df188d93c4d3aac9c48b34a5c8c9dd7b80f7" })
+
+      const otherEnduser = await sdkOther.api.endusers.createOne({ email: `otp-other-tenant-${Date.now()}@tellescope.com` })
+      const mainEnduser = await sdk.api.endusers.createOne({ email: `otp-main-tenant-${Date.now()}@tellescope.com` })
+
+      try {
+        const { authToken: otherToken } = await sdkOther.api.endusers.generate_auth_token({ id: otherEnduser.id, overrideOTP: true })
+        const otherEnduserSession = new EnduserSession({ host, authToken: otherToken, businessId: sdkOther.userInfo.businessId })
+
+        const { authToken: mainToken } = await sdk.api.endusers.generate_auth_token({ id: mainEnduser.id, overrideOTP: true })
+        const mainEnduserSession = new EnduserSession({ host, authToken: mainToken, businessId: sdk.userInfo.businessId })
+
+        // Both tokens work
+        await otherEnduserSession.test_authenticated()
+        await mainEnduserSession.test_authenticated()
+
+        await wait(undefined, 2000)
+
+        // Enable OTP on main tenant only
+        await sdk.api.organizations.updateOne(sdk.userInfo.businessId, {
+          portalSettings: { authentication: { requireOTP: true } },
+        })
+
+        await wait(undefined, 1000)
+
+        // Main tenant enduser's old token should be rejected
+        try {
+          await mainEnduserSession.test_authenticated()
+          return 'should have thrown'
+        } catch (e) { /* expected */ }
+
+        // Other tenant enduser's token should still work
+        await otherEnduserSession.test_authenticated()
+
+        return 'passed'
+      } finally {
+        await resetOTPSettings(sdk)
+        await sdk.api.endusers.deleteOne(mainEnduser.id).catch(console.error)
+        await sdkOther.api.endusers.deleteOne(otherEnduser.id).catch(console.error)
+      }
+    },
+    { expectedResult: 'passed' }
+  )
+
+  console.log("✅ All OTP Enablement Session Invalidation tests passed!")
+
+  } finally {
+    // Always reset OTP settings to prevent impacting other tests
+    await resetOTPSettings(sdk).catch(console.error)
+  }
 }
 
 // Allow running this test file independently

package/src/tests/api_tests/eom_procedure_codes.test.ts

@@ -0,0 +1,296 @@
+require('source-map-support').install();
+
+import { Session } from "../../sdk"
+import { async_test, log_header } from "@tellescope/testing"
+import { setup_tests } from "../setup"
+
+const host = process.env.API_URL || 'http://localhost:8080' as const
+
+const sampleProcedureCodes = [
+  {
+    code: 'G0019',
+    units: 1,
+    feeCents: 12000,
+    modifiers: ['25'],
+  },
+  {
+    code: 'G0022',
+    units: 0,
+  },
+]
+
+const sampleDiagnosisCodes = [
+  { code: 'Z71.3', description: 'Dietary counseling and surveillance' },
+]
+
+export const eom_procedure_codes_tests = async ({ sdk } : { sdk: Session, sdkNonAdmin: Session }) => {
+  log_header("EOM FormResponse Procedure Codes Tests")
+
+  const enduser = await sdk.api.endusers.createOne({ fname: 'EOM', lname: 'Test' })
+  const createdFormIds: string[] = []
+  const createdFormResponseIds: string[] = []
+
+  try {
+    // Bootstrap a base FormResponse via prepare_form_response (bypasses the
+    // form_responses.createOne path that requires non-empty responses).
+    const baseForm = await sdk.api.forms.createOne({ title: 'EOM Procedure Codes Base Form' })
+    createdFormIds.push(baseForm.id)
+    const { response: formResponse } = await sdk.api.form_responses.prepare_form_response({
+      formId: baseForm.id,
+      enduserId: enduser.id,
+    })
+    createdFormResponseIds.push(formResponse.id)
+
+    // ---------- FormResponse-level field tests (existing behavior) ----------
+    await async_test(
+      'updateOne accepts procedureCodes and diagnosisCodes on FormResponse',
+      () => sdk.api.form_responses.updateOne(formResponse.id, {
+        procedureCodes: sampleProcedureCodes,
+        diagnosisCodes: sampleDiagnosisCodes,
+      }),
+      { onResult: r => !!r && Array.isArray(r.procedureCodes) && r.procedureCodes.length === 2 && Array.isArray(r.diagnosisCodes) && r.diagnosisCodes.length === 1 }
+    )
+
+    await async_test(
+      'getOne returns persisted procedureCodes/diagnosisCodes',
+      () => sdk.api.form_responses.getOne(formResponse.id),
+      { onResult: r => (
+        r.procedureCodes?.[0]?.code === 'G0019'
+        && r.procedureCodes?.[0]?.units === 1
+        && r.procedureCodes?.[0]?.feeCents === 12000
+        && r.procedureCodes?.[1]?.code === 'G0022'
+        && r.procedureCodes?.[1]?.units === 0
+        && r.diagnosisCodes?.[0]?.code === 'Z71.3'
+      ) }
+    )
+
+    await async_test(
+      'updateOne rejects FormResponse procedureCode with non-string code',
+      () => sdk.api.form_responses.updateOne(formResponse.id, {
+        procedureCodes: [{ code: 12345 as any, units: 1 }],
+      }),
+      { shouldError: true, onError: () => true }
+    )
+
+    await async_test(
+      'updateOne rejects FormResponse procedureCode with negative units',
+      () => sdk.api.form_responses.updateOne(formResponse.id, {
+        procedureCodes: [{ code: 'G0019', units: -1 }],
+      }),
+      { shouldError: true, onError: () => true }
+    )
+
+    await async_test(
+      'updateOne rejects FormResponse diagnosisCode with non-string code',
+      () => sdk.api.form_responses.updateOne(formResponse.id, {
+        diagnosisCodes: [{ code: 12345 as any }],
+      }),
+      { shouldError: true, onError: () => true }
+    )
+
+    await async_test(
+      'updateOne can clear procedureCodes/diagnosisCodes with empty arrays via replaceObjectFields',
+      () => sdk.api.form_responses.updateOne(formResponse.id, {
+        procedureCodes: [],
+        diagnosisCodes: [],
+      }, { replaceObjectFields: true }),
+      { onResult: r => (
+        Array.isArray(r.procedureCodes) && r.procedureCodes.length === 0
+        && Array.isArray(r.diagnosisCodes) && r.diagnosisCodes.length === 0
+      ) }
+    )
+
+    // ---------- Form-level field validators ----------
+    await async_test(
+      'forms.createOne accepts valid procedureCodes/diagnosisCodes',
+      () => sdk.api.forms.createOne({
+        title: 'EOM Procedure Codes Form (valid codes)',
+        procedureCodes: sampleProcedureCodes,
+        diagnosisCodes: sampleDiagnosisCodes,
+      }),
+      { onResult: f => {
+        createdFormIds.push(f.id)
+        return f.procedureCodes?.length === 2
+          && f.procedureCodes?.[0]?.code === 'G0019'
+          && f.diagnosisCodes?.[0]?.code === 'Z71.3'
+      } }
+    )
+
+    await async_test(
+      'forms.createOne rejects procedureCode with non-string code',
+      () => sdk.api.forms.createOne({
+        title: 'EOM Bad Form',
+        procedureCodes: [{ code: 12345 as any, units: 1 }],
+      }),
+      { shouldError: true, onError: () => true }
+    )
+
+    await async_test(
+      'forms.createOne rejects procedureCode with negative units',
+      () => sdk.api.forms.createOne({
+        title: 'EOM Bad Form',
+        procedureCodes: [{ code: 'G0019', units: -1 }],
+      }),
+      { shouldError: true, onError: () => true }
+    )
+
+    await async_test(
+      'forms.createOne rejects diagnosisCode with non-string code',
+      () => sdk.api.forms.createOne({
+        title: 'EOM Bad Form',
+        diagnosisCodes: [{ code: 12345 as any }],
+      }),
+      { shouldError: true, onError: () => true }
+    )
+
+    // ---------- prepare_form_response copy-on-prepare from Form ----------
+    const formWithCodes = await sdk.api.forms.createOne({
+      title: 'EOM Procedure Codes Form (with codes)',
+      procedureCodes: sampleProcedureCodes,
+      diagnosisCodes: sampleDiagnosisCodes,
+    })
+    createdFormIds.push(formWithCodes.id)
+
+    let preparedFromFormResponseId = ''
+    await async_test(
+      'prepare_form_response copies procedureCodes/diagnosisCodes from Form when no args',
+      () => sdk.api.form_responses.prepare_form_response({
+        formId: formWithCodes.id,
+        enduserId: enduser.id,
+      }),
+      { onResult: r => {
+        preparedFromFormResponseId = r.response.id
+        createdFormResponseIds.push(r.response.id)
+        return r.response.procedureCodes?.length === 2
+          && r.response.procedureCodes?.[0]?.code === 'G0019'
+          && r.response.diagnosisCodes?.[0]?.code === 'Z71.3'
+      } }
+    )
+
+    await async_test(
+      'persisted FormResponse retains Form codes after prepare',
+      () => sdk.api.form_responses.getOne(preparedFromFormResponseId),
+      { onResult: r => (
+        r.procedureCodes?.length === 2
+        && r.procedureCodes?.[0]?.code === 'G0019'
+        && r.diagnosisCodes?.[0]?.code === 'Z71.3'
+      ) }
+    )
+
+    // ---------- prepare args override Form defaults ----------
+    const overrideProcedureCodes = [{ code: '99213', units: 1 }]
+    const overrideDiagnosisCodes = [{ code: 'E11.9', description: 'Type 2 diabetes' }]
+
+    let overridePreparedResponseId = ''
+    await async_test(
+      'prepare_form_response args override Form defaults',
+      () => sdk.api.form_responses.prepare_form_response({
+        formId: formWithCodes.id,
+        enduserId: enduser.id,
+        procedureCodes: overrideProcedureCodes,
+        diagnosisCodes: overrideDiagnosisCodes,
+      }),
+      { onResult: r => {
+        overridePreparedResponseId = r.response.id
+        createdFormResponseIds.push(r.response.id)
+        return r.response.procedureCodes?.length === 1
+          && r.response.procedureCodes?.[0]?.code === '99213'
+          && r.response.diagnosisCodes?.length === 1
+          && r.response.diagnosisCodes?.[0]?.code === 'E11.9'
+      } }
+    )
+
+    await async_test(
+      'persisted overridden FormResponse retains override codes',
+      () => sdk.api.form_responses.getOne(overridePreparedResponseId),
+      { onResult: r => (
+        r.procedureCodes?.[0]?.code === '99213'
+        && r.diagnosisCodes?.[0]?.code === 'E11.9'
+      ) }
+    )
+
+    // ---------- prepare with no Form defaults ----------
+    const formWithoutCodes = await sdk.api.forms.createOne({
+      title: 'EOM Procedure Codes Form (no codes)',
+    })
+    createdFormIds.push(formWithoutCodes.id)
+
+    await async_test(
+      'prepare_form_response with args on a Form lacking codes uses the args',
+      () => sdk.api.form_responses.prepare_form_response({
+        formId: formWithoutCodes.id,
+        enduserId: enduser.id,
+        procedureCodes: overrideProcedureCodes,
+        diagnosisCodes: overrideDiagnosisCodes,
+      }),
+      { onResult: r => {
+        createdFormResponseIds.push(r.response.id)
+        return r.response.procedureCodes?.[0]?.code === '99213'
+          && r.response.diagnosisCodes?.[0]?.code === 'E11.9'
+      } }
+    )
+
+    // ---------- prepare with no defaults and no args yields no codes ----------
+    await async_test(
+      'prepare_form_response with no codes anywhere produces FormResponse without codes',
+      () => sdk.api.form_responses.prepare_form_response({
+        formId: formWithoutCodes.id,
+        enduserId: enduser.id,
+      }),
+      { onResult: r => {
+        createdFormResponseIds.push(r.response.id)
+        return !r.response.procedureCodes && !r.response.diagnosisCodes
+      } }
+    )
+
+    // ---------- prepare rejects bad code shapes ----------
+    await async_test(
+      'prepare_form_response rejects procedureCode with non-string code',
+      () => sdk.api.form_responses.prepare_form_response({
+        formId: formWithoutCodes.id,
+        enduserId: enduser.id,
+        procedureCodes: [{ code: 12345 as any, units: 1 }],
+      }),
+      { shouldError: true, onError: () => true }
+    )
+
+    await async_test(
+      'prepare_form_response rejects procedureCode with negative units',
+      () => sdk.api.form_responses.prepare_form_response({
+        formId: formWithoutCodes.id,
+        enduserId: enduser.id,
+        procedureCodes: [{ code: 'G0019', units: -1 }],
+      }),
+      { shouldError: true, onError: () => true }
+    )
+  } finally {
+    for (const id of createdFormResponseIds) {
+      await sdk.api.form_responses.deleteOne(id).catch(() => {})
+    }
+    for (const id of createdFormIds) {
+      await sdk.api.forms.deleteOne(id).catch(() => {})
+    }
+    await sdk.api.endusers.deleteOne(enduser.id).catch(() => {})
+  }
+}
+
+if (require.main === module) {
+  console.log(`🌐 Using API URL: ${host}`)
+  const sdk = new Session({ host })
+  const sdkNonAdmin = new Session({ host })
+
+  const runTests = async () => {
+    await setup_tests(sdk, sdkNonAdmin)
+    await eom_procedure_codes_tests({ sdk, sdkNonAdmin })
+  }
+
+  runTests()
+    .then(() => {
+      console.log("✅ EOM procedure codes test suite completed successfully")
+      process.exit(0)
+    })
+    .catch((error) => {
+      console.error("❌ EOM procedure codes test suite failed:", error)
+      process.exit(1)
+    })
+}