@tellescope/sdk 1.252.2 → 1.253.0

package/src/tests/api_tests/mdi_webhooks.test.ts

@@ -0,0 +1,99 @@
+require('source-map-support').install();
+
+import { Session } from "../../sdk"
+import {
+  assert,
+  log_header,
+} from "@tellescope/testing"
+import { setup_tests } from "../setup"
+
+const host = process.env.API_URL || 'http://localhost:8080' as const
+
+const mdiUrl = `${host}/v1/webhooks/mdi`
+
+/**
+ * POST a JSON payload to the MDI webhook endpoint with optional auth/signature headers.
+ */
+const postMDI = async (body: object, headers: Record<string, string> = {}) => {
+  const res = await fetch(mdiUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', ...headers },
+    body: JSON.stringify(body),
+  })
+  let data: any
+  try { data = await res.text() } catch { data = null }
+  return { status: res.status, data }
+}
+
+/**
+ * MD Integrations Webhooks Tests
+ *
+ * The inbound endpoint is security-first: it authenticates the tenant via the
+ * static Authorization token BEFORE any DB write or side effect. These tests
+ * assert those rejection paths, which don't require a configured MDI integration.
+ *
+ * NOTE: a full event round-trip (case_approved -> mdiStatus, offering_submitted
+ * -> enduser_medications, message_created -> chat, etc.) requires an MDI
+ * integration row carrying the Authorization token in webhooksSecret.
+ * That row can only be created through the connect flow against valid MDI
+ * Sandbox credentials (add_api_key_integration validates client creds via a live
+ * MDI API call), so the end-to-end path is exercised in the Sandbox per the task
+ * plan rather than here.
+ */
+export const mdi_webhooks_tests = async ({ sdk, sdkNonAdmin }: { sdk: Session, sdkNonAdmin: Session }) => {
+  log_header("MD Integrations Webhooks Tests")
+
+  // 1. Missing Authorization header -> 401 (tenant cannot be identified)
+  {
+    const { status } = await postMDI({ event_type: 'case_approved', case_id: 'mdi-case-test-1' })
+    assert(status === 401, `missing Authorization should 401 (got ${status})`, "MDI webhook rejects missing Authorization")
+  }
+
+  // 2. Bogus Authorization token (no matching integration) -> 401
+  {
+    const { status } = await postMDI(
+      { event_type: 'case_approved', case_id: 'mdi-case-test-1' },
+      { 'Authorization': `Bearer not-a-real-mdi-token-${Date.now()}` },
+    )
+    assert(status === 401, `unknown Authorization should 401 (got ${status})`, "MDI webhook rejects unknown Authorization")
+  }
+
+  // 3. Missing event_type -> 400 (bad request), still before any tenant work
+  {
+    const { status } = await postMDI(
+      { case_id: 'mdi-case-test-1' } as any,
+      { 'Authorization': `Bearer not-a-real-mdi-token-${Date.now()}` },
+    )
+    assert(status === 400 || status === 401, `missing event_type should 400/401 (got ${status})`, "MDI webhook rejects payload without event_type")
+  }
+
+  // 4. message_created with bogus auth -> still 401 (auth precedes patient lookup)
+  {
+    const { status } = await postMDI(
+      { event_type: 'message_created', patient_id: 'mdi-patient-x', message_id: 'm-1', user_type: 'App\\Models\\User' },
+      { 'Authorization': `Bearer not-a-real-mdi-token-${Date.now()}` },
+    )
+    assert(status === 401, `message_created with bad auth should 401 (got ${status})`, "MDI webhook authenticates before patient lookup")
+  }
+}
+
+// Allow running this test file independently
+if (require.main === module) {
+  const sdk = new Session({ host })
+  const sdkNonAdmin = new Session({ host })
+
+  const runTests = async () => {
+    await setup_tests(sdk, sdkNonAdmin)
+    await mdi_webhooks_tests({ sdk, sdkNonAdmin })
+  }
+
+  runTests()
+    .then(() => {
+      console.log("✅ MD Integrations webhooks test suite completed successfully")
+      process.exit(0)
+    })
+    .catch((error) => {
+      console.error("❌ MD Integrations webhooks test suite failed:", error)
+      process.exit(1)
+    })
+}

package/src/tests/api_tests/no_access_permission_checks.test.ts

@@ -80,6 +80,44 @@ export const no_access_permission_checks_tests = async ({ sdk, sdkNonAdmin } : {
   const originalRoles = sdkNonAdmin.userInfo.roles
 
   try {
+    // ========================================
+    // Test 0: Healthie proxy_read endpoints are admin-only
+    // ========================================
+    // These run before any role manipulation, while sdkNonAdmin has its default non-admin role.
+    // The admin check is inline with the Healthie dispatch branches (after integration resolution),
+    // so a throwaway Healthie integration record must exist for requests to reach it.
+    log_header("Test 0: Healthie proxy_read endpoints reject non-admins")
+
+    const healthieIntegration = await sdk.api.integrations.createOne({
+      title: 'Healthie',
+      authentication: { type: 'apiKey', info: { access_token: 'dummy-healthie-key-for-admin-only-test', refresh_token: 'unused', scope: '', token_type: 'Bearer', expiry_date: new Date().getTime() } },
+    })
+    try {
+      await async_test(
+        "proxy_read healthie patients - should block non-admin user",
+        () => sdkNonAdmin.api.integrations.proxy_read({ integration: 'Healthie', type: 'patients' }),
+        { shouldError: true, onError: (e: any) => e.message === "Admin access required" }
+      )
+      await async_test(
+        "proxy_read healthie appointment-types - should block non-admin user",
+        () => sdkNonAdmin.api.integrations.proxy_read({ integration: 'Healthie', type: 'appointment-types' }),
+        { shouldError: true, onError: (e: any) => e.message === "Admin access required" }
+      )
+      // Admin is not blocked by the role check (the dummy credentials fail upstream in Healthie's API,
+      // but never with the 403 role rejection)
+      try {
+        await sdk.api.integrations.proxy_read({ integration: 'Healthie', type: 'patients', query: JSON.stringify({ pageSize: 1 }) })
+        console.log("✅ proxy_read healthie patients - admin allowed")
+      } catch (e: any) {
+        if (e.message === "Admin access required") {
+          throw new Error("proxy_read healthie patients - admin was incorrectly blocked by the role check")
+        }
+        console.log("✅ proxy_read healthie patients - admin passes role check (dummy Healthie credentials rejected upstream)")
+      }
+    } finally {
+      await sdk.api.integrations.deleteOne(healthieIntegration.id)
+    }
+
     // Assign the restricted role to non-admin user
     await sdk.api.users.updateOne(sdkNonAdmin.userInfo.id, { roles: [noAccessTestRole] }, { replaceObjectFields: true })
     await wait(undefined, 1500) // wait for role change to propagate

package/src/tests/api_tests/set_fields_order_templates.test.ts

@@ -228,12 +228,134 @@ const beluga_webhook_block = async ({ sdk }: { sdk: Session }) => {
   }
 }
 
+// Block C: Beluga tracking status update events (PACKAGE_*)
+const beluga_tracking_status_block = async ({ sdk }: { sdk: Session }) => {
+  log_header("Block C: Beluga tracking status updates (PACKAGE_* events)")
+
+  const webhookUrl = `${host}/v1/webhooks/beluga`
+  const externalOrderId = `EXT-C-${Date.now()}`
+  const trackingUrl = 'https://tools.usps.com/go/TrackConfirmAction?tLabels=9400-CCC'
+
+  const enduser = await sdk.api.endusers.createOne({})
+  const form = await sdk.api.forms.createOne({ title: 'Tracking Status Beluga Form' })
+  const formResponse = await sdk.api.form_responses.createOne({
+    formId: form.id,
+    enduserId: enduser.id,
+    formTitle: form.title,
+  })
+
+  const inTransitTrigger = await sdk.api.automation_triggers.createOne({
+    title: `${TRIGGER_TITLE_BLOCK_B} (In Transit)`,
+    status: 'Active',
+    event: { type: 'Order Status Equals', info: { source: 'Beluga', status: 'In Transit' } },
+    action: buildSetFieldsAction('pharmacy'),
+  })
+
+  const postEvent = async (event: string, info?: object) => {
+    const res = await fetch(webhookUrl, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        masterId: `tellescope_${formResponse.id}`,
+        event,
+        orderId: externalOrderId,
+        ...info ? { info } : {},
+      }),
+    })
+    assert(res.status === 200, `Beluga webhook (${event}) expected 200, got ${res.status}`)
+    await wait(undefined, 250) // webhook upsert + trigger + Set Fields
+  }
+
+  const getOrder = async () => {
+    const orders = await sdk.api.enduser_orders.getSome({
+      filter: { source: 'Beluga', externalId: externalOrderId } as any,
+    })
+    return orders[0]
+  }
+
+  try {
+    // Order ships first, then tracking updates arrive
+    await postEvent('PHARMACY_ORDER_SHIPPED', { carrier: 'USPS', tracking: '9400-CCC' })
+
+    await postEvent('PACKAGE_IN_TRANSIT', {
+      trackerStatus: 'in_transit',
+      trackerId: 'trk_123',
+      trackingUrl,
+      tracking: '9400-CCC',
+      carrier: 'USPS',
+    })
+
+    await async_test(
+      "Block C: PACKAGE_IN_TRANSIT fires 'In Transit' trigger with trackingUrl preferred over tracking",
+      () => sdk.api.endusers.getOne(enduser.id),
+      { onResult: e => !!(
+           e.fields?.pharmacy_status === 'In Transit'
+        && e.fields?.pharmacy_tracking === trackingUrl
+        && e.fields?.pharmacy_carrier === 'USPS'
+        && e.fields?.pharmacy_externalId === externalOrderId
+      )}
+    )
+
+    await postEvent('PACKAGE_OUT_FOR_DELIVERY', {
+      trackerStatus: 'out_for_delivery',
+      trackingUrl,
+      carrier: 'USPS',
+    })
+    await async_test(
+      "Block C: PACKAGE_OUT_FOR_DELIVERY sets order status 'Out for Delivery'",
+      getOrder,
+      { onResult: o => o?.status === 'Out for Delivery' }
+    )
+
+    const deliveredDate = new Date().toISOString()
+    await postEvent('PACKAGE_DELIVERED', {
+      trackerStatus: 'delivered',
+      trackingUrl,
+      carrier: 'USPS',
+      deliveredDate,
+    })
+    await async_test(
+      "Block C: PACKAGE_DELIVERED sets status 'Delivered' and stores deliveredDate",
+      getOrder,
+      { onResult: o => !!(
+           o?.status === 'Delivered'
+        && o?.deliveredDate === deliveredDate
+      )}
+    )
+
+    await postEvent('PACKAGE_DELIVERY_FAILED', { trackerStatus: 'failure' })
+    await async_test(
+      "Block C: PACKAGE_DELIVERY_FAILED sets order status 'Delivery Failed'",
+      getOrder,
+      { onResult: o => o?.status === 'Delivery Failed' }
+    )
+  } finally {
+    // Clean up the order created by the webhook
+    try {
+      const orders = await sdk.api.enduser_orders.getSome({
+        filter: { source: 'Beluga', externalId: externalOrderId } as any,
+      })
+      for (const o of orders) {
+        await sdk.api.enduser_orders.deleteOne(o.id).catch(console.error)
+      }
+    } catch (err) {
+      console.error(err)
+    }
+
+    await sdk.api.automation_triggers.deleteOne(inTransitTrigger.id).catch(console.error)
+    await sdk.api.form_responses.deleteOne(formResponse.id).catch(console.error)
+    await sdk.api.forms.deleteOne(form.id).catch(console.error)
+    await sdk.api.endusers.deleteOne(enduser.id).catch(console.error)
+  }
+}
+
 export const set_fields_order_templates_tests = async (
   { sdk, sdkNonAdmin }: { sdk: Session, sdkNonAdmin: Session }
 ) => {
   log_header("Set Fields: {{order.*}} template resolution")
   await direct_order_creation_block({ sdk })
   await beluga_webhook_block({ sdk })
+  await beluga_tracking_status_block({ sdk })
 }
 
 if (require.main === module) {

package/src/tests/tests.ts

@@ -114,6 +114,7 @@ import { organization_settings_duplicates_tests } from "./api_tests/organization
 import { calendar_events_bulk_update_tests } from "./api_tests/calendar_events_bulk_update.test";
 import { openloop_webhooks_tests } from "./api_tests/openloop_webhooks.test";
 import { beluga_pharmacy_mappings_tests } from "./api_tests/beluga_pharmacy_mappings.test";
+import { mdi_webhooks_tests } from "./api_tests/mdi_webhooks.test";
 import { account_switcher_tests } from "./api_tests/account_switcher.test";
 import { set_fields_order_templates_tests } from "./api_tests/set_fields_order_templates.test";
 import { date_string_validation_tests } from "./api_tests/date_string_validation.test";
@@ -14357,6 +14358,7 @@ const ip_address_form_tests = async () => {
     await form_submitted_trigger_tests({ sdk, sdkNonAdmin })
     await date_string_validation_tests({ sdk, sdkNonAdmin })
     await openloop_webhooks_tests({ sdk, sdkNonAdmin })
+    await mdi_webhooks_tests({ sdk, sdkNonAdmin })
     await integrations_redacted_tests({ sdk, sdkNonAdmin })
     await mdb_sort_tests({ sdk, sdkNonAdmin })
     await search_tests()