@tellescope/sdk 1.254.0 → 1.254.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (71) hide show
  1. package/lib/cjs/tests/api_tests/ai_decision_summary_config.test.d.ts +16 -0
  2. package/lib/cjs/tests/api_tests/ai_decision_summary_config.test.d.ts.map +1 -0
  3. package/lib/cjs/tests/api_tests/ai_decision_summary_config.test.js +187 -0
  4. package/lib/cjs/tests/api_tests/ai_decision_summary_config.test.js.map +1 -0
  5. package/lib/cjs/tests/api_tests/mdi_case_offerings.test.d.ts +6 -0
  6. package/lib/cjs/tests/api_tests/mdi_case_offerings.test.d.ts.map +1 -0
  7. package/lib/cjs/tests/api_tests/mdi_case_offerings.test.js +443 -0
  8. package/lib/cjs/tests/api_tests/mdi_case_offerings.test.js.map +1 -0
  9. package/lib/cjs/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.d.ts +21 -0
  10. package/lib/cjs/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.d.ts.map +1 -0
  11. package/lib/cjs/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.js +362 -0
  12. package/lib/cjs/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.js.map +1 -0
  13. package/lib/cjs/tests/api_tests/security/F-0145-globalunique-leak.test.d.ts +20 -0
  14. package/lib/cjs/tests/api_tests/security/F-0145-globalunique-leak.test.d.ts.map +1 -0
  15. package/lib/cjs/tests/api_tests/security/F-0145-globalunique-leak.test.js +139 -0
  16. package/lib/cjs/tests/api_tests/security/F-0145-globalunique-leak.test.js.map +1 -0
  17. package/lib/cjs/tests/api_tests/security/F-0151-load-inbox-redaction.test.d.ts +18 -0
  18. package/lib/cjs/tests/api_tests/security/F-0151-load-inbox-redaction.test.d.ts.map +1 -0
  19. package/lib/cjs/tests/api_tests/security/F-0151-load-inbox-redaction.test.js +156 -0
  20. package/lib/cjs/tests/api_tests/security/F-0151-load-inbox-redaction.test.js.map +1 -0
  21. package/lib/cjs/tests/api_tests/security/F-0155-webhook-timeout.test.d.ts +20 -0
  22. package/lib/cjs/tests/api_tests/security/F-0155-webhook-timeout.test.d.ts.map +1 -0
  23. package/lib/cjs/tests/api_tests/security/F-0155-webhook-timeout.test.js +157 -0
  24. package/lib/cjs/tests/api_tests/security/F-0155-webhook-timeout.test.js.map +1 -0
  25. package/lib/cjs/tests/setup.d.ts.map +1 -1
  26. package/lib/cjs/tests/setup.js +20 -1
  27. package/lib/cjs/tests/setup.js.map +1 -1
  28. package/lib/cjs/tests/tests.d.ts.map +1 -1
  29. package/lib/cjs/tests/tests.js +175 -155
  30. package/lib/cjs/tests/tests.js.map +1 -1
  31. package/lib/esm/sdk.d.ts +2 -2
  32. package/lib/esm/tests/api_tests/ai_decision_summary_config.test.d.ts +16 -0
  33. package/lib/esm/tests/api_tests/ai_decision_summary_config.test.d.ts.map +1 -0
  34. package/lib/esm/tests/api_tests/ai_decision_summary_config.test.js +183 -0
  35. package/lib/esm/tests/api_tests/ai_decision_summary_config.test.js.map +1 -0
  36. package/lib/esm/tests/api_tests/mdi_case_offerings.test.d.ts +6 -0
  37. package/lib/esm/tests/api_tests/mdi_case_offerings.test.d.ts.map +1 -0
  38. package/lib/esm/tests/api_tests/mdi_case_offerings.test.js +439 -0
  39. package/lib/esm/tests/api_tests/mdi_case_offerings.test.js.map +1 -0
  40. package/lib/esm/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.d.ts +21 -0
  41. package/lib/esm/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.d.ts.map +1 -0
  42. package/lib/esm/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.js +358 -0
  43. package/lib/esm/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.js.map +1 -0
  44. package/lib/esm/tests/api_tests/security/F-0145-globalunique-leak.test.d.ts +20 -0
  45. package/lib/esm/tests/api_tests/security/F-0145-globalunique-leak.test.d.ts.map +1 -0
  46. package/lib/esm/tests/api_tests/security/F-0145-globalunique-leak.test.js +135 -0
  47. package/lib/esm/tests/api_tests/security/F-0145-globalunique-leak.test.js.map +1 -0
  48. package/lib/esm/tests/api_tests/security/F-0151-load-inbox-redaction.test.d.ts +18 -0
  49. package/lib/esm/tests/api_tests/security/F-0151-load-inbox-redaction.test.d.ts.map +1 -0
  50. package/lib/esm/tests/api_tests/security/F-0151-load-inbox-redaction.test.js +152 -0
  51. package/lib/esm/tests/api_tests/security/F-0151-load-inbox-redaction.test.js.map +1 -0
  52. package/lib/esm/tests/api_tests/security/F-0155-webhook-timeout.test.d.ts +20 -0
  53. package/lib/esm/tests/api_tests/security/F-0155-webhook-timeout.test.d.ts.map +1 -0
  54. package/lib/esm/tests/api_tests/security/F-0155-webhook-timeout.test.js +150 -0
  55. package/lib/esm/tests/api_tests/security/F-0155-webhook-timeout.test.js.map +1 -0
  56. package/lib/esm/tests/setup.d.ts.map +1 -1
  57. package/lib/esm/tests/setup.js +20 -1
  58. package/lib/esm/tests/setup.js.map +1 -1
  59. package/lib/esm/tests/tests.d.ts.map +1 -1
  60. package/lib/esm/tests/tests.js +175 -155
  61. package/lib/esm/tests/tests.js.map +1 -1
  62. package/lib/tsconfig.tsbuildinfo +1 -1
  63. package/package.json +10 -10
  64. package/src/tests/api_tests/mdi_case_offerings.test.ts +414 -0
  65. package/src/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.ts +221 -0
  66. package/src/tests/api_tests/security/F-0145-globalunique-leak.test.ts +78 -0
  67. package/src/tests/api_tests/security/F-0151-load-inbox-redaction.test.ts +81 -0
  68. package/src/tests/api_tests/security/F-0155-webhook-timeout.test.ts +85 -0
  69. package/src/tests/setup.ts +9 -0
  70. package/src/tests/tests.ts +10 -0
  71. package/test_generated.pdf +0 -0
@@ -0,0 +1,78 @@
1
+ require('source-map-support').install();
2
+
3
+ import { Session } from "../../../sdk"
4
+ import {
5
+ async_test,
6
+ log_header,
7
+ } from "@tellescope/testing"
8
+ import { setup_tests } from "../../setup"
9
+
10
+ const host = process.env.API_URL || 'http://localhost:8080' as const
11
+
12
+ /**
13
+ * Regression test for F-0145
14
+ * (security-audit/findings/F-0145-globalunique-conflict-leaks-cross-tenant-record.md).
15
+ *
16
+ * The create endpoint generator's unconditional globalUnique-enforcement block
17
+ * (routing.ts, "globalUnique should be enforced even if _overrideUnique is true")
18
+ * threw uniquenessError([{ existingRecord: matches[0] }]) with the RAW matched record.
19
+ * `findSomeByMatchAny_Global` deletes businessId, so the match is global; for `users`
20
+ * (globalUnique: ['email','phone']) the 409 body leaked the full record incl. hashedPass.
21
+ *
22
+ * Fix: redact existingRecord to { _id, businessId } like the safe validateUniquenessConstraints
23
+ * path. This reproduces the leak with a same-tenant collision (same code path) and asserts the
24
+ * 409 body's existingRecord exposes nothing beyond _id + businessId.
25
+ */
26
+ export const globalunique_leak_tests = async ({ sdk } : { sdk: Session, sdkNonAdmin: Session }) => {
27
+ log_header("F-0145: globalUnique conflict response redaction")
28
+
29
+ let userId: string | undefined
30
+ try {
31
+ const email = `f0145-victim-${Date.now()}@example.com`
32
+ const user = await sdk.api.users.createOne({ email } as any)
33
+ userId = user.id
34
+
35
+ await async_test(
36
+ 'F-0145: globalUnique 409 existingRecord exposes only _id + businessId (no email/hashedPass)',
37
+ () => sdk.api.users.createOne({ email, _overrideUnique: true } as any),
38
+ {
39
+ shouldError: true,
40
+ onError: (e: any) => {
41
+ const rec = e?.info?.[0]?.existingRecord
42
+ if (!rec || typeof rec !== 'object') return false
43
+ const keys = Object.keys(rec)
44
+ return (
45
+ keys.length > 0
46
+ && keys.every(k => k === '_id' || k === 'businessId' || k === 'id')
47
+ && !('email' in rec)
48
+ && !('hashedPass' in rec)
49
+ && !('hashedInviteCode' in rec)
50
+ )
51
+ },
52
+ },
53
+ )
54
+ } finally {
55
+ if (userId) { try { await sdk.api.users.deleteOne(userId) } catch {} }
56
+ }
57
+ }
58
+
59
+ if (require.main === module) {
60
+ console.log(`🌐 Using API URL: ${host}`)
61
+ const sdk = new Session({ host })
62
+ const sdkNonAdmin = new Session({ host })
63
+
64
+ const runTests = async () => {
65
+ await setup_tests(sdk, sdkNonAdmin)
66
+ await globalunique_leak_tests({ sdk, sdkNonAdmin })
67
+ }
68
+
69
+ runTests()
70
+ .then(() => {
71
+ console.log("✅ F-0145 globalUnique leak test suite completed successfully")
72
+ process.exit(0)
73
+ })
74
+ .catch((error) => {
75
+ console.error("❌ F-0145 globalUnique leak test suite failed:", error)
76
+ process.exit(1)
77
+ })
78
+ }
@@ -0,0 +1,81 @@
1
+ require('source-map-support').install();
2
+
3
+ import { Session } from "../../../sdk"
4
+ import {
5
+ async_test,
6
+ log_header,
7
+ } from "@tellescope/testing"
8
+ import { setup_tests } from "../../setup"
9
+
10
+ const host = process.env.API_URL || 'http://localhost:8080' as const
11
+
12
+ const ENDUSER_PASSWORD = 'F0151TestPassword!123'
13
+
14
+ /**
15
+ * Regression test for F-0151
16
+ * (security-audit/findings/F-0151-load-inbox-data-endusers-unredacted.md).
17
+ *
18
+ * load_inbox_data serialized $lookup'ed endusers via convert_id_name only (NOT applyRedactions),
19
+ * so endusers.hashedPassword (redactions:['all']) leaked to staff sessions — while the sibling
20
+ * phone_calls in the same response correctly went through applyRedactions.
21
+ *
22
+ * Repro: create an enduser, set their portal password (→ hashedPassword), seed an inbound
23
+ * (logOnly) email so the enduser appears in the inbox join, then load_inbox_data as staff and
24
+ * assert the returned enduser entry has NO hashedPassword.
25
+ */
26
+ export const load_inbox_redaction_tests = async ({ sdk } : { sdk: Session, sdkNonAdmin: Session }) => {
27
+ log_header("F-0151: load_inbox_data enduser redaction")
28
+
29
+ let enduserId: string | undefined
30
+ let emailId: string | undefined
31
+ try {
32
+ const email = `f0151-enduser-${Date.now()}@example.com`
33
+ const enduser = await sdk.api.endusers.createOne({ email, fname: 'F0151', lname: 'Inbox' })
34
+ enduserId = enduser.id
35
+ await sdk.api.endusers.set_password({ id: enduser.id, password: ENDUSER_PASSWORD })
36
+
37
+ // Seed an inbound logOnly email so the enduser is joined into the inbox payload
38
+ const seeded = await sdk.api.emails.createOne({
39
+ enduserId: enduser.id, subject: 'F0151 seed', textContent: 'seed',
40
+ logOnly: true, inbound: true,
41
+ } as any)
42
+ emailId = seeded.id
43
+
44
+ await async_test(
45
+ 'F-0151: load_inbox_data does not leak enduser.hashedPassword to staff',
46
+ () => sdk.api.endusers.load_inbox_data({ enduserIds: [enduser.id] } as any),
47
+ {
48
+ onResult: (r: any) => {
49
+ const returned = (r?.endusers ?? []).find((e: any) => (e.id || e._id)?.toString() === enduserId)
50
+ // require that the enduser actually came back (so the assertion is meaningful),
51
+ // and that hashedPassword is absent
52
+ return !!returned && !('hashedPassword' in returned)
53
+ },
54
+ },
55
+ )
56
+ } finally {
57
+ if (emailId) { try { await sdk.api.emails.deleteOne(emailId) } catch {} }
58
+ if (enduserId) { try { await sdk.api.endusers.deleteOne(enduserId) } catch {} }
59
+ }
60
+ }
61
+
62
+ if (require.main === module) {
63
+ console.log(`🌐 Using API URL: ${host}`)
64
+ const sdk = new Session({ host })
65
+ const sdkNonAdmin = new Session({ host })
66
+
67
+ const runTests = async () => {
68
+ await setup_tests(sdk, sdkNonAdmin)
69
+ await load_inbox_redaction_tests({ sdk, sdkNonAdmin })
70
+ }
71
+
72
+ runTests()
73
+ .then(() => {
74
+ console.log("✅ F-0151 load_inbox_data redaction test suite completed successfully")
75
+ process.exit(0)
76
+ })
77
+ .catch((error) => {
78
+ console.error("❌ F-0151 load_inbox_data redaction test suite failed:", error)
79
+ process.exit(1)
80
+ })
81
+ }
@@ -0,0 +1,85 @@
1
+ require('source-map-support').install();
2
+
3
+ import http from "http"
4
+ import { Session } from "../../../sdk"
5
+ import {
6
+ async_test,
7
+ log_header,
8
+ } from "@tellescope/testing"
9
+ import { setup_tests } from "../../setup"
10
+
11
+ const host = process.env.API_URL || 'http://localhost:8080' as const
12
+
13
+ // The server-side axios timeout is 15s (F-0155 fix). We bound our own wait above that.
14
+ const CLIENT_WAIT_MS = 20_000
15
+
16
+ /**
17
+ * Regression test for F-0155
18
+ * (security-audit/findings/F-0155-outbound-webhook-no-timeout-slow-loris.md).
19
+ *
20
+ * Outbound webhook delivery used axios.post(url, ...) with no `timeout` (axios default = infinite).
21
+ * A tenant-controlled receiver that accepts the connection and never responds hangs the awaited
22
+ * request indefinitely (slow-loris → worker exhaustion). Fix: timeout: 15_000 on the axios calls.
23
+ *
24
+ * Repro: stand up a local HTTP server that accepts the connection but NEVER responds, point
25
+ * send_automation_webhook (which awaits the axios call) at it, and race the call against a 20s
26
+ * client timer.
27
+ * - green (fixed): server times out at ~15s → handler returns 400 → SDK call rejects < 20s
28
+ * - red (unfixed): the call is still pending at 20s → client timer wins
29
+ */
30
+ export const webhook_timeout_tests = async ({ sdk } : { sdk: Session, sdkNonAdmin: Session }) => {
31
+ log_header("F-0155: outbound webhook timeout")
32
+
33
+ let enduserId: string | undefined
34
+ const slowServer = http.createServer(() => { /* accept connection, never respond */ })
35
+
36
+ try {
37
+ await new Promise<void>(resolve => slowServer.listen(0, '127.0.0.1', () => resolve()))
38
+ const port = (slowServer.address() as any).port
39
+ const blackholeUrl = `http://127.0.0.1:${port}/hook`
40
+
41
+ const enduser = await sdk.api.endusers.createOne({ email: `f0155-${Date.now()}@example.com`, fname: 'F0155', lname: 'Webhook' })
42
+ enduserId = enduser.id
43
+
44
+ await async_test(
45
+ 'F-0155: outbound webhook to a non-responding receiver times out server-side (does not hang)',
46
+ async () => {
47
+ const start = Date.now()
48
+ const outcome = await Promise.race([
49
+ sdk.api.webhooks.send_automation_webhook({
50
+ enduserId: enduser.id,
51
+ action: { info: { url: blackholeUrl } },
52
+ } as any).then(() => 'completed').catch(() => 'errored'),
53
+ new Promise<string>(r => setTimeout(() => r('client-timeout'), CLIENT_WAIT_MS)),
54
+ ])
55
+ return { outcome, elapsed: Date.now() - start }
56
+ },
57
+ // green: the server-side axios timeout fired (call settled) before our 20s client wait
58
+ { onResult: (r: any) => r.outcome !== 'client-timeout' && r.elapsed < CLIENT_WAIT_MS },
59
+ )
60
+ } finally {
61
+ slowServer.close()
62
+ if (enduserId) { try { await sdk.api.endusers.deleteOne(enduserId) } catch {} }
63
+ }
64
+ }
65
+
66
+ if (require.main === module) {
67
+ console.log(`🌐 Using API URL: ${host}`)
68
+ const sdk = new Session({ host })
69
+ const sdkNonAdmin = new Session({ host })
70
+
71
+ const runTests = async () => {
72
+ await setup_tests(sdk, sdkNonAdmin)
73
+ await webhook_timeout_tests({ sdk, sdkNonAdmin })
74
+ }
75
+
76
+ runTests()
77
+ .then(() => {
78
+ console.log("✅ F-0155 webhook timeout test suite completed successfully")
79
+ process.exit(0)
80
+ })
81
+ .catch((error) => {
82
+ console.error("❌ F-0155 webhook timeout test suite failed:", error)
83
+ process.exit(1)
84
+ })
85
+ }
@@ -150,4 +150,13 @@ export const setup_tests = async (sdk: Session, sdkNonAdmin: Session) => {
150
150
  // may do some stuff in background after returning
151
151
  await async_test('reset_db', () => sdk.reset_db(), passOnVoid)
152
152
  await wait(undefined, 250)
153
+
154
+ // Prevent test-triggered notifications (e.g. timeTrackRejected, inbound-message
155
+ // notifications) from enqueuing real notification emails to SQS for the primary
156
+ // test accounts. On-the-fly test users already set this flag individually.
157
+ // Set after the final reset_db so it isn't wiped by the reset.
158
+ await Promise.all([
159
+ sdk.api.users.updateOne(sdk.userInfo.id, { notificationEmailsDisabled: true }),
160
+ sdk.api.users.updateOne(sdkNonAdmin.userInfo.id, { notificationEmailsDisabled: true }),
161
+ ]).catch(console.error)
153
162
  }
@@ -100,6 +100,10 @@ import { invite_user_enumeration_tests } from "./api_tests/security/F-0007-invit
100
100
  import { handle_incoming_communication_cross_tenant_tests } from "./api_tests/security/F-0008-handle-incoming-communication-cross-tenant.test";
101
101
  import { sanitize_user_html_xss_tests } from "./api_tests/security/F-0013-sanitize-user-html.test";
102
102
  import { prototype_pollution_tests } from "./api_tests/security/F-0016-prototype-pollution.test";
103
+ import { enduser_cross_create_tests } from "./api_tests/security/F-0116-F-0119-enduser-cross-create.test";
104
+ import { globalunique_leak_tests } from "./api_tests/security/F-0145-globalunique-leak.test";
105
+ import { load_inbox_redaction_tests } from "./api_tests/security/F-0151-load-inbox-redaction.test";
106
+ import { webhook_timeout_tests } from "./api_tests/security/F-0155-webhook-timeout.test";
103
107
  import { bulk_assignment_tests } from "./api_tests/bulk_assignment.test";
104
108
  import { managed_content_enduser_access_tests } from "./api_tests/managed_content_enduser_access.test";
105
109
  import { managed_content_file_access_tests } from "./api_tests/managed_content_file_access.test";
@@ -116,6 +120,7 @@ import { organization_settings_duplicates_tests } from "./api_tests/organization
116
120
  import { calendar_events_bulk_update_tests } from "./api_tests/calendar_events_bulk_update.test";
117
121
  import { openloop_webhooks_tests } from "./api_tests/openloop_webhooks.test";
118
122
  import { beluga_pharmacy_mappings_tests } from "./api_tests/beluga_pharmacy_mappings.test";
123
+ import { mdi_case_offerings_tests } from "./api_tests/mdi_case_offerings.test";
119
124
  import { beluga_manual_sync_tests } from "./api_tests/beluga_manual_sync.test";
120
125
  import { mdi_webhooks_tests } from "./api_tests/mdi_webhooks.test";
121
126
  import { account_switcher_tests } from "./api_tests/account_switcher.test";
@@ -14840,7 +14845,12 @@ const ip_address_form_tests = async () => {
14840
14845
  await resource_access_tags_tests({ sdk, sdkNonAdmin })
14841
14846
  await beluga_manual_sync_tests({ sdk, sdkNonAdmin })
14842
14847
  await beluga_pharmacy_mappings_tests({ sdk, sdkNonAdmin })
14848
+ await mdi_case_offerings_tests({ sdk, sdkNonAdmin })
14843
14849
  await enduser_write_restrictions_tests({ sdk, sdkNonAdmin })
14850
+ await enduser_cross_create_tests({ sdk, sdkNonAdmin })
14851
+ await globalunique_leak_tests({ sdk, sdkNonAdmin })
14852
+ await load_inbox_redaction_tests({ sdk, sdkNonAdmin })
14853
+ await webhook_timeout_tests({ sdk, sdkNonAdmin })
14844
14854
  await user_portal_settings_tests({ sdk, sdkNonAdmin })
14845
14855
  await automation_trigger_tests()
14846
14856
  await invite_user_enumeration_tests({ sdk, sdkNonAdmin })
Binary file