@tellescope/sdk 1.254.0 → 1.254.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (71) hide show
  1. package/lib/cjs/tests/api_tests/ai_decision_summary_config.test.d.ts +16 -0
  2. package/lib/cjs/tests/api_tests/ai_decision_summary_config.test.d.ts.map +1 -0
  3. package/lib/cjs/tests/api_tests/ai_decision_summary_config.test.js +187 -0
  4. package/lib/cjs/tests/api_tests/ai_decision_summary_config.test.js.map +1 -0
  5. package/lib/cjs/tests/api_tests/mdi_case_offerings.test.d.ts +6 -0
  6. package/lib/cjs/tests/api_tests/mdi_case_offerings.test.d.ts.map +1 -0
  7. package/lib/cjs/tests/api_tests/mdi_case_offerings.test.js +443 -0
  8. package/lib/cjs/tests/api_tests/mdi_case_offerings.test.js.map +1 -0
  9. package/lib/cjs/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.d.ts +21 -0
  10. package/lib/cjs/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.d.ts.map +1 -0
  11. package/lib/cjs/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.js +362 -0
  12. package/lib/cjs/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.js.map +1 -0
  13. package/lib/cjs/tests/api_tests/security/F-0145-globalunique-leak.test.d.ts +20 -0
  14. package/lib/cjs/tests/api_tests/security/F-0145-globalunique-leak.test.d.ts.map +1 -0
  15. package/lib/cjs/tests/api_tests/security/F-0145-globalunique-leak.test.js +139 -0
  16. package/lib/cjs/tests/api_tests/security/F-0145-globalunique-leak.test.js.map +1 -0
  17. package/lib/cjs/tests/api_tests/security/F-0151-load-inbox-redaction.test.d.ts +18 -0
  18. package/lib/cjs/tests/api_tests/security/F-0151-load-inbox-redaction.test.d.ts.map +1 -0
  19. package/lib/cjs/tests/api_tests/security/F-0151-load-inbox-redaction.test.js +156 -0
  20. package/lib/cjs/tests/api_tests/security/F-0151-load-inbox-redaction.test.js.map +1 -0
  21. package/lib/cjs/tests/api_tests/security/F-0155-webhook-timeout.test.d.ts +20 -0
  22. package/lib/cjs/tests/api_tests/security/F-0155-webhook-timeout.test.d.ts.map +1 -0
  23. package/lib/cjs/tests/api_tests/security/F-0155-webhook-timeout.test.js +157 -0
  24. package/lib/cjs/tests/api_tests/security/F-0155-webhook-timeout.test.js.map +1 -0
  25. package/lib/cjs/tests/setup.d.ts.map +1 -1
  26. package/lib/cjs/tests/setup.js +20 -1
  27. package/lib/cjs/tests/setup.js.map +1 -1
  28. package/lib/cjs/tests/tests.d.ts.map +1 -1
  29. package/lib/cjs/tests/tests.js +175 -155
  30. package/lib/cjs/tests/tests.js.map +1 -1
  31. package/lib/esm/sdk.d.ts +2 -2
  32. package/lib/esm/tests/api_tests/ai_decision_summary_config.test.d.ts +16 -0
  33. package/lib/esm/tests/api_tests/ai_decision_summary_config.test.d.ts.map +1 -0
  34. package/lib/esm/tests/api_tests/ai_decision_summary_config.test.js +183 -0
  35. package/lib/esm/tests/api_tests/ai_decision_summary_config.test.js.map +1 -0
  36. package/lib/esm/tests/api_tests/mdi_case_offerings.test.d.ts +6 -0
  37. package/lib/esm/tests/api_tests/mdi_case_offerings.test.d.ts.map +1 -0
  38. package/lib/esm/tests/api_tests/mdi_case_offerings.test.js +439 -0
  39. package/lib/esm/tests/api_tests/mdi_case_offerings.test.js.map +1 -0
  40. package/lib/esm/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.d.ts +21 -0
  41. package/lib/esm/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.d.ts.map +1 -0
  42. package/lib/esm/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.js +358 -0
  43. package/lib/esm/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.js.map +1 -0
  44. package/lib/esm/tests/api_tests/security/F-0145-globalunique-leak.test.d.ts +20 -0
  45. package/lib/esm/tests/api_tests/security/F-0145-globalunique-leak.test.d.ts.map +1 -0
  46. package/lib/esm/tests/api_tests/security/F-0145-globalunique-leak.test.js +135 -0
  47. package/lib/esm/tests/api_tests/security/F-0145-globalunique-leak.test.js.map +1 -0
  48. package/lib/esm/tests/api_tests/security/F-0151-load-inbox-redaction.test.d.ts +18 -0
  49. package/lib/esm/tests/api_tests/security/F-0151-load-inbox-redaction.test.d.ts.map +1 -0
  50. package/lib/esm/tests/api_tests/security/F-0151-load-inbox-redaction.test.js +152 -0
  51. package/lib/esm/tests/api_tests/security/F-0151-load-inbox-redaction.test.js.map +1 -0
  52. package/lib/esm/tests/api_tests/security/F-0155-webhook-timeout.test.d.ts +20 -0
  53. package/lib/esm/tests/api_tests/security/F-0155-webhook-timeout.test.d.ts.map +1 -0
  54. package/lib/esm/tests/api_tests/security/F-0155-webhook-timeout.test.js +150 -0
  55. package/lib/esm/tests/api_tests/security/F-0155-webhook-timeout.test.js.map +1 -0
  56. package/lib/esm/tests/setup.d.ts.map +1 -1
  57. package/lib/esm/tests/setup.js +20 -1
  58. package/lib/esm/tests/setup.js.map +1 -1
  59. package/lib/esm/tests/tests.d.ts.map +1 -1
  60. package/lib/esm/tests/tests.js +175 -155
  61. package/lib/esm/tests/tests.js.map +1 -1
  62. package/lib/tsconfig.tsbuildinfo +1 -1
  63. package/package.json +10 -10
  64. package/src/tests/api_tests/mdi_case_offerings.test.ts +414 -0
  65. package/src/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.ts +221 -0
  66. package/src/tests/api_tests/security/F-0145-globalunique-leak.test.ts +78 -0
  67. package/src/tests/api_tests/security/F-0151-load-inbox-redaction.test.ts +81 -0
  68. package/src/tests/api_tests/security/F-0155-webhook-timeout.test.ts +85 -0
  69. package/src/tests/setup.ts +9 -0
  70. package/src/tests/tests.ts +10 -0
  71. package/test_generated.pdf +0 -0
@@ -0,0 +1,358 @@
1
+ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
2
+ function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
3
+ return new (P || (P = Promise))(function (resolve, reject) {
4
+ function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
5
+ function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
6
+ function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
7
+ step((generator = generator.apply(thisArg, _arguments || [])).next());
8
+ });
9
+ };
10
+ var __generator = (this && this.__generator) || function (thisArg, body) {
11
+ var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
12
+ return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
13
+ function verb(n) { return function (v) { return step([n, v]); }; }
14
+ function step(op) {
15
+ if (f) throw new TypeError("Generator is already executing.");
16
+ while (g && (g = 0, op[0] && (_ = 0)), _) try {
17
+ if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
18
+ if (y = 0, t) op = [op[0] & 2, t.value];
19
+ switch (op[0]) {
20
+ case 0: case 1: t = op; break;
21
+ case 4: _.label++; return { value: op[1], done: false };
22
+ case 5: _.label++; y = op[1]; op = [0]; continue;
23
+ case 7: op = _.ops.pop(); _.trys.pop(); continue;
24
+ default:
25
+ if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
26
+ if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
27
+ if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
28
+ if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
29
+ if (t[2]) _.ops.pop();
30
+ _.trys.pop(); continue;
31
+ }
32
+ op = body.call(thisArg, _);
33
+ } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
34
+ if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
35
+ }
36
+ };
37
+ require('source-map-support').install();
38
+ import { Session, EnduserSession } from "../../../sdk";
39
+ import { async_test, log_header, } from "@tellescope/testing";
40
+ import { setup_tests } from "../../setup";
41
+ var host = process.env.API_URL || 'http://localhost:8080';
42
+ var businessId = '60398b1131a295e64f084ff6';
43
+ var ENDUSER_PASSWORD = 'F0116TestPassword!123';
44
+ var CROSS_ENDUSER_MESSAGE = "enduserId does not match creator id for enduser session";
45
+ /**
46
+ * Regression test for the enduser cross-enduser CREATE gating gaps:
47
+ * F-0116 enduser_observations (security-audit/findings/F-0116-*.md)
48
+ * F-0117 enduser_orders (security-audit/findings/F-0117-*.md)
49
+ * F-0119 managed_content_records (security-audit/findings/F-0119-*.md)
50
+ * F-0118 chat_rooms (enduserIds-only gate; staff userIds targeting is by-design)
51
+ *
52
+ * Each model exposed enduserActions.create with an `enduserId`/`enduserIds` field that
53
+ * lacked a write-side gate, letting an authenticated enduser create records bound to a
54
+ * DIFFERENT enduser in the same tenant. The fix adds a `constraints.relationship`
55
+ * evaluator mirroring the canonical `tickets` pattern (schema.ts).
56
+ *
57
+ * Methodology: each section asserts BOTH the exploit-is-blocked case AND that the
58
+ * legitimate path (self-create + staff-create) still works.
59
+ */
60
+ export var enduser_cross_create_tests = function (_a) {
61
+ var sdk = _a.sdk;
62
+ return __awaiter(void 0, void 0, void 0, function () {
63
+ var attackerId, victimId, createdObservationIds, createdOrderIds, createdContentIds, createdRoomIds, attackerEmail, victimEmail, attacker, victim, attackerSDK_1, orderPayload_1, staffId_1, _i, createdRoomIds_1, id, _b, _c, createdContentIds_1, id, _d, _e, createdObservationIds_1, id, _f, _g, createdOrderIds_1, id, _h, _j, _k;
64
+ return __generator(this, function (_l) {
65
+ switch (_l.label) {
66
+ case 0:
67
+ log_header("F-0116/F-0117/F-0118/F-0119: enduser cross-enduser create gates");
68
+ createdObservationIds = [];
69
+ createdOrderIds = [];
70
+ createdContentIds = [];
71
+ createdRoomIds = [];
72
+ _l.label = 1;
73
+ case 1:
74
+ _l.trys.push([1, , 21, 54]);
75
+ attackerEmail = "f0116-attacker-".concat(Date.now(), "@example.com");
76
+ victimEmail = "f0116-victim-".concat(Date.now(), "@example.com");
77
+ return [4 /*yield*/, sdk.api.endusers.createOne({ email: attackerEmail, fname: 'F0116', lname: 'Attacker' })];
78
+ case 2:
79
+ attacker = _l.sent();
80
+ attackerId = attacker.id;
81
+ return [4 /*yield*/, sdk.api.endusers.createOne({ email: victimEmail, fname: 'F0116', lname: 'Victim' })];
82
+ case 3:
83
+ victim = _l.sent();
84
+ victimId = victim.id;
85
+ return [4 /*yield*/, sdk.api.endusers.set_password({ id: attacker.id, password: ENDUSER_PASSWORD })];
86
+ case 4:
87
+ _l.sent();
88
+ attackerSDK_1 = new EnduserSession({ host: host, businessId: businessId });
89
+ return [4 /*yield*/, attackerSDK_1.authenticate(attackerEmail, ENDUSER_PASSWORD)
90
+ // ============================================================
91
+ // F-0116 — enduser_observations
92
+ // ============================================================
93
+ ];
94
+ case 5:
95
+ _l.sent();
96
+ // ============================================================
97
+ // F-0116 — enduser_observations
98
+ // ============================================================
99
+ return [4 /*yield*/, async_test("F-0116: enduser cannot create observation on another enduser (createOne)", function () { return attackerSDK_1.api.enduser_observations.createOne({
100
+ enduserId: victimId, category: 'vital-signs', status: 'final',
101
+ measurement: { unit: 'mmHg', value: 220 },
102
+ }); }, { shouldError: true, onError: function (e) { return e.message === CROSS_ENDUSER_MESSAGE; } })];
103
+ case 6:
104
+ // ============================================================
105
+ // F-0116 — enduser_observations
106
+ // ============================================================
107
+ _l.sent();
108
+ return [4 /*yield*/, async_test("F-0116: enduser cannot create observation on another enduser (createMany)", function () { return attackerSDK_1.api.enduser_observations.createSome([{
109
+ enduserId: victimId, category: 'vital-signs', status: 'final',
110
+ measurement: { unit: 'mmHg', value: 220 },
111
+ }]); }, { shouldError: true, onError: function (e) { return e.message === CROSS_ENDUSER_MESSAGE; } })
112
+ // Positive control: enduser CAN create an observation on their OWN record
113
+ ];
114
+ case 7:
115
+ _l.sent();
116
+ // Positive control: enduser CAN create an observation on their OWN record
117
+ return [4 /*yield*/, async_test("F-0116: enduser can still create observation on own record", function () { return attackerSDK_1.api.enduser_observations.createOne({
118
+ enduserId: attackerId, category: 'vital-signs', status: 'final',
119
+ measurement: { unit: 'mmHg', value: 120 },
120
+ }); }, { onResult: function (o) { if (o === null || o === void 0 ? void 0 : o.id)
121
+ createdObservationIds.push(o.id); return (o === null || o === void 0 ? void 0 : o.enduserId) === attackerId; } })
122
+ // Positive control: staff CAN create an observation on any tenant enduser
123
+ ];
124
+ case 8:
125
+ // Positive control: enduser CAN create an observation on their OWN record
126
+ _l.sent();
127
+ // Positive control: staff CAN create an observation on any tenant enduser
128
+ return [4 /*yield*/, async_test("F-0116: staff can still create observation on any enduser", function () { return sdk.api.enduser_observations.createOne({
129
+ enduserId: victimId, category: 'vital-signs', status: 'final',
130
+ measurement: { unit: 'mmHg', value: 118 },
131
+ }); }, { onResult: function (o) { if (o === null || o === void 0 ? void 0 : o.id)
132
+ createdObservationIds.push(o.id); return (o === null || o === void 0 ? void 0 : o.enduserId) === victimId; } })
133
+ // ============================================================
134
+ // F-0117 — enduser_orders
135
+ // ============================================================
136
+ ];
137
+ case 9:
138
+ // Positive control: staff CAN create an observation on any tenant enduser
139
+ _l.sent();
140
+ orderPayload_1 = function (enduserId) { return ({
141
+ enduserId: enduserId,
142
+ externalId: "f0117-".concat(Date.now()), source: 'f0117-source',
143
+ title: 'f0117 order', status: 'pending',
144
+ }); };
145
+ return [4 /*yield*/, async_test("F-0117: enduser cannot create order on another enduser", function () { return attackerSDK_1.api.enduser_orders.createOne(orderPayload_1(victimId)); }, { shouldError: true, onError: function (e) { return e.message === CROSS_ENDUSER_MESSAGE; } })];
146
+ case 10:
147
+ _l.sent();
148
+ return [4 /*yield*/, async_test("F-0117: enduser can still create order on own record", function () { return attackerSDK_1.api.enduser_orders.createOne(orderPayload_1(attackerId)); }, { onResult: function (o) { if (o === null || o === void 0 ? void 0 : o.id)
149
+ createdOrderIds.push(o.id); return (o === null || o === void 0 ? void 0 : o.enduserId) === attackerId; } })];
150
+ case 11:
151
+ _l.sent();
152
+ return [4 /*yield*/, async_test("F-0117: staff can still create order on any enduser", function () { return sdk.api.enduser_orders.createOne(orderPayload_1(victimId)); }, { onResult: function (o) { if (o === null || o === void 0 ? void 0 : o.id)
153
+ createdOrderIds.push(o.id); return (o === null || o === void 0 ? void 0 : o.enduserId) === victimId; } })
154
+ // ============================================================
155
+ // F-0119 — managed_content_records
156
+ // ============================================================
157
+ ];
158
+ case 12:
159
+ _l.sent();
160
+ // ============================================================
161
+ // F-0119 — managed_content_records
162
+ // ============================================================
163
+ return [4 /*yield*/, async_test("F-0119: enduser cannot create content with allowUnauthenticatedAccess", function () { return attackerSDK_1.api.managed_content_records.createOne({
164
+ title: 'f0119 phishing', textContent: 'x', allowUnauthenticatedAccess: true,
165
+ }); }, { shouldError: true, onError: function (e) { return e.message === "allowUnauthenticatedAccess cannot be set by endusers"; } })];
166
+ case 13:
167
+ // ============================================================
168
+ // F-0119 — managed_content_records
169
+ // ============================================================
170
+ _l.sent();
171
+ return [4 /*yield*/, async_test("F-0119: enduser cannot create content with publicRead", function () { return attackerSDK_1.api.managed_content_records.createOne({
172
+ title: 'f0119 broadcast', textContent: 'x', publicRead: true,
173
+ }); }, { shouldError: true, onError: function (e) { return e.message === "publicRead cannot be set by endusers"; } })];
174
+ case 14:
175
+ _l.sent();
176
+ return [4 /*yield*/, async_test("F-0119: enduser cannot create content bound to another enduser", function () { return attackerSDK_1.api.managed_content_records.createOne({
177
+ title: 'f0119 cross', textContent: 'x', enduserId: victimId,
178
+ }); }, { shouldError: true, onError: function (e) { return e.message === CROSS_ENDUSER_MESSAGE; } })];
179
+ case 15:
180
+ _l.sent();
181
+ return [4 /*yield*/, async_test("F-0119: enduser can still create ordinary content", function () { return attackerSDK_1.api.managed_content_records.createOne({
182
+ title: 'f0119 ok', textContent: 'hello',
183
+ }); }, { onResult: function (o) { if (o === null || o === void 0 ? void 0 : o.id)
184
+ createdContentIds.push(o.id); return !(o === null || o === void 0 ? void 0 : o.publicRead) && !(o === null || o === void 0 ? void 0 : o.allowUnauthenticatedAccess); } })];
185
+ case 16:
186
+ _l.sent();
187
+ return [4 /*yield*/, async_test("F-0119: staff can still create public content", function () { return sdk.api.managed_content_records.createOne({
188
+ title: 'f0119 staff public', textContent: 'x', publicRead: true,
189
+ }); }, { onResult: function (o) { if (o === null || o === void 0 ? void 0 : o.id)
190
+ createdContentIds.push(o.id); return (o === null || o === void 0 ? void 0 : o.publicRead) === true; } })
191
+ // ============================================================
192
+ // F-0118 — chat_rooms (enduserIds-only gate; staff userIds targeting is by-design)
193
+ // ============================================================
194
+ ];
195
+ case 17:
196
+ _l.sent();
197
+ staffId_1 = sdk.userInfo.id;
198
+ return [4 /*yield*/, async_test("F-0118: enduser cannot add another patient to a chat room (enduserIds)", function () { return attackerSDK_1.api.chat_rooms.createOne({
199
+ type: 'internal', enduserIds: [attackerId, victimId], userIds: [staffId_1],
200
+ }); }, { shouldError: true, onError: function (e) { return e.message === "enduserIds may only contain your own id for enduser session"; } })
201
+ // Positive control: patient CAN create a room with care-team staff + self (intended feature)
202
+ ];
203
+ case 18:
204
+ _l.sent();
205
+ // Positive control: patient CAN create a room with care-team staff + self (intended feature)
206
+ return [4 /*yield*/, async_test("F-0118: enduser can still create a room with staff + self", function () { return attackerSDK_1.api.chat_rooms.createOne({
207
+ type: 'internal', enduserIds: [attackerId], userIds: [staffId_1],
208
+ }); }, { onResult: function (o) { var _a, _b; if (o === null || o === void 0 ? void 0 : o.id)
209
+ createdRoomIds.push(o.id); return ((_a = o === null || o === void 0 ? void 0 : o.enduserIds) === null || _a === void 0 ? void 0 : _a.length) === 1 && ((_b = o === null || o === void 0 ? void 0 : o.userIds) === null || _b === void 0 ? void 0 : _b.includes(staffId_1)); } })
210
+ // Positive control: staff can still create multi-patient rooms
211
+ ];
212
+ case 19:
213
+ // Positive control: patient CAN create a room with care-team staff + self (intended feature)
214
+ _l.sent();
215
+ // Positive control: staff can still create multi-patient rooms
216
+ return [4 /*yield*/, async_test("F-0118: staff can still create a room with multiple endusers", function () { return sdk.api.chat_rooms.createOne({
217
+ type: 'internal', enduserIds: [attackerId, victimId], userIds: [staffId_1],
218
+ }); }, { onResult: function (o) { var _a; if (o === null || o === void 0 ? void 0 : o.id)
219
+ createdRoomIds.push(o.id); return ((_a = o === null || o === void 0 ? void 0 : o.enduserIds) === null || _a === void 0 ? void 0 : _a.length) === 2; } })];
220
+ case 20:
221
+ // Positive control: staff can still create multi-patient rooms
222
+ _l.sent();
223
+ return [3 /*break*/, 54];
224
+ case 21:
225
+ _i = 0, createdRoomIds_1 = createdRoomIds;
226
+ _l.label = 22;
227
+ case 22:
228
+ if (!(_i < createdRoomIds_1.length)) return [3 /*break*/, 27];
229
+ id = createdRoomIds_1[_i];
230
+ _l.label = 23;
231
+ case 23:
232
+ _l.trys.push([23, 25, , 26]);
233
+ return [4 /*yield*/, sdk.api.chat_rooms.deleteOne(id)];
234
+ case 24:
235
+ _l.sent();
236
+ return [3 /*break*/, 26];
237
+ case 25:
238
+ _b = _l.sent();
239
+ return [3 /*break*/, 26];
240
+ case 26:
241
+ _i++;
242
+ return [3 /*break*/, 22];
243
+ case 27:
244
+ _c = 0, createdContentIds_1 = createdContentIds;
245
+ _l.label = 28;
246
+ case 28:
247
+ if (!(_c < createdContentIds_1.length)) return [3 /*break*/, 33];
248
+ id = createdContentIds_1[_c];
249
+ _l.label = 29;
250
+ case 29:
251
+ _l.trys.push([29, 31, , 32]);
252
+ return [4 /*yield*/, sdk.api.managed_content_records.deleteOne(id)];
253
+ case 30:
254
+ _l.sent();
255
+ return [3 /*break*/, 32];
256
+ case 31:
257
+ _d = _l.sent();
258
+ return [3 /*break*/, 32];
259
+ case 32:
260
+ _c++;
261
+ return [3 /*break*/, 28];
262
+ case 33:
263
+ _e = 0, createdObservationIds_1 = createdObservationIds;
264
+ _l.label = 34;
265
+ case 34:
266
+ if (!(_e < createdObservationIds_1.length)) return [3 /*break*/, 39];
267
+ id = createdObservationIds_1[_e];
268
+ _l.label = 35;
269
+ case 35:
270
+ _l.trys.push([35, 37, , 38]);
271
+ return [4 /*yield*/, sdk.api.enduser_observations.deleteOne(id)];
272
+ case 36:
273
+ _l.sent();
274
+ return [3 /*break*/, 38];
275
+ case 37:
276
+ _f = _l.sent();
277
+ return [3 /*break*/, 38];
278
+ case 38:
279
+ _e++;
280
+ return [3 /*break*/, 34];
281
+ case 39:
282
+ _g = 0, createdOrderIds_1 = createdOrderIds;
283
+ _l.label = 40;
284
+ case 40:
285
+ if (!(_g < createdOrderIds_1.length)) return [3 /*break*/, 45];
286
+ id = createdOrderIds_1[_g];
287
+ _l.label = 41;
288
+ case 41:
289
+ _l.trys.push([41, 43, , 44]);
290
+ return [4 /*yield*/, sdk.api.enduser_orders.deleteOne(id)];
291
+ case 42:
292
+ _l.sent();
293
+ return [3 /*break*/, 44];
294
+ case 43:
295
+ _h = _l.sent();
296
+ return [3 /*break*/, 44];
297
+ case 44:
298
+ _g++;
299
+ return [3 /*break*/, 40];
300
+ case 45:
301
+ if (!attackerId) return [3 /*break*/, 49];
302
+ _l.label = 46;
303
+ case 46:
304
+ _l.trys.push([46, 48, , 49]);
305
+ return [4 /*yield*/, sdk.api.endusers.deleteOne(attackerId)];
306
+ case 47:
307
+ _l.sent();
308
+ return [3 /*break*/, 49];
309
+ case 48:
310
+ _j = _l.sent();
311
+ return [3 /*break*/, 49];
312
+ case 49:
313
+ if (!victimId) return [3 /*break*/, 53];
314
+ _l.label = 50;
315
+ case 50:
316
+ _l.trys.push([50, 52, , 53]);
317
+ return [4 /*yield*/, sdk.api.endusers.deleteOne(victimId)];
318
+ case 51:
319
+ _l.sent();
320
+ return [3 /*break*/, 53];
321
+ case 52:
322
+ _k = _l.sent();
323
+ return [3 /*break*/, 53];
324
+ case 53: return [7 /*endfinally*/];
325
+ case 54: return [2 /*return*/];
326
+ }
327
+ });
328
+ });
329
+ };
330
+ // Allow running this test file independently
331
+ if (require.main === module) {
332
+ console.log("\uD83C\uDF10 Using API URL: ".concat(host));
333
+ var sdk_1 = new Session({ host: host });
334
+ var sdkNonAdmin_1 = new Session({ host: host });
335
+ var runTests = function () { return __awaiter(void 0, void 0, void 0, function () {
336
+ return __generator(this, function (_a) {
337
+ switch (_a.label) {
338
+ case 0: return [4 /*yield*/, setup_tests(sdk_1, sdkNonAdmin_1)];
339
+ case 1:
340
+ _a.sent();
341
+ return [4 /*yield*/, enduser_cross_create_tests({ sdk: sdk_1, sdkNonAdmin: sdkNonAdmin_1 })];
342
+ case 2:
343
+ _a.sent();
344
+ return [2 /*return*/];
345
+ }
346
+ });
347
+ }); };
348
+ runTests()
349
+ .then(function () {
350
+ console.log("✅ F-0116/F-0117/F-0118/F-0119 enduser cross-create test suite completed successfully");
351
+ process.exit(0);
352
+ })
353
+ .catch(function (error) {
354
+ console.error("❌ enduser cross-create test suite failed:", error);
355
+ process.exit(1);
356
+ });
357
+ }
358
+ //# sourceMappingURL=F-0116-F-0119-enduser-cross-create.test.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"F-0116-F-0119-enduser-cross-create.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0116-F-0119-enduser-cross-create.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,OAAO,CAAC,oBAAoB,CAAC,CAAC,OAAO,EAAE,CAAC;AAExC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAA;AACtD,OAAO,EACL,UAAU,EACV,UAAU,GACX,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAEzC,IAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,uBAAgC,CAAA;AACpE,IAAM,UAAU,GAAG,0BAA0B,CAAA;AAE7C,IAAM,gBAAgB,GAAG,uBAAuB,CAAA;AAEhD,IAAM,qBAAqB,GAAG,yDAAyD,CAAA;AAEvF;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,IAAM,0BAA0B,GAAG,UAAO,EAAgD;QAA9C,GAAG,SAAA;;;;;;oBACpD,UAAU,CAAC,iEAAiE,CAAC,CAAA;oBAIvE,qBAAqB,GAAa,EAAE,CAAA;oBACpC,eAAe,GAAa,EAAE,CAAA;oBAC9B,iBAAiB,GAAa,EAAE,CAAA;oBAChC,cAAc,GAAa,EAAE,CAAA;;;;oBAI3B,aAAa,GAAG,yBAAkB,IAAI,CAAC,GAAG,EAAE,iBAAc,CAAA;oBAC1D,WAAW,GAAG,uBAAgB,IAAI,CAAC,GAAG,EAAE,iBAAc,CAAA;oBAC3C,qBAAM,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAA;;oBAAxG,QAAQ,GAAG,SAA6F;oBAC9G,UAAU,GAAG,QAAQ,CAAC,EAAE,CAAA;oBACT,qBAAM,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAA;;oBAAlG,MAAM,GAAG,SAAyF;oBACxG,QAAQ,GAAG,MAAM,CAAC,EAAE,CAAA;oBACpB,qBAAM,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC,EAAA;;oBAApF,SAAoF,CAAA;oBAE9E,gBAAc,IAAI,cAAc,CAAC,EAAE,IAAI,MAAA,EAAE,UAAU,YAAA,EAAE,CAAC,CAAA;oBAC5D,qBAAM,aAAW,CAAC,YAAY,CAAC,aAAa,EAAE,gBAAgB,CAAC;wBAE/D,+DAA+D;wBAC/D,gCAAgC;wBAChC,+DAA+D;sBAJA;;oBAA/D,SAA+D,CAAA;oBAE/D,+DAA+D;oBAC/D,gCAAgC;oBAChC,+DAA+D;oBAC/D,qBAAM,UAAU,CACd,0EAA0E,EAC1E,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC,SAAS,CAAC;4BACnD,SAAS,EAAE,QAAS,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO;4BAC9D,WAAW,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE;yBACnC,CAAC,EAHH,CAGG,EACT,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,OAAO,KAAK,qBAAqB,EAAnC,CAAmC,EAAE,CACzE,EAAA;;oBAVD,+DAA+D;oBAC/D,gCAAgC;oBAChC,+DAA+D;oBAC/D,SAOC,CAAA;oBACD,qBAAM,UAAU,CACd,2EAA2E,EAC3E,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC,UAAU,CAAC,CAAC;gCACrD,SAAS,EAAE,QAAS,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO;gCAC9D,WAAW,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE;6BAC1C,CAAQ,CAAC,EAHJ,CAGI,EACV,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,OAAO,KAAK,qBAAqB,EAAnC,CAAmC,EAAE,CACzE;wBAED,0EAA0E;sBAFzE;;oBAPD,SAOC,CAAA;oBAED,0EAA0E;oBAC1E,qBAAM,UAAU,CACd,4DAA4D,EAC5D,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC,SAAS,CAAC;4BACnD,SAAS,EAAE,UAAW,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO;4BAChE,WAAW,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE;yBACnC,CAAC,EAHH,CAGG,EACT,EAAE,QAAQ,EAAE,UAAC,CAAM,IAAO,IAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,EAAE;gCAAE,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,SAAS,MAAK,UAAU,CAAA,CAAC,CAAC,EAAE,CAC9G;wBACD,0EAA0E;sBADzE;;oBARD,0EAA0E;oBAC1E,SAOC,CAAA;oBACD,0EAA0E;oBAC1E,qBAAM,UAAU,CACd,2DAA2D,EAC3D,cAAM,OAAA,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC,SAAS,CAAC;4BAC3C,SAAS,EAAE,QAAS,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO;4BAC9D,WAAW,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE;yBACnC,CAAC,EAHH,CAGG,EACT,EAAE,QAAQ,EAAE,UAAC,CAAM,IAAO,IAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,EAAE;gCAAE,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,SAAS,MAAK,QAAQ,CAAA,CAAC,CAAC,EAAE,CAC5G;wBAED,+DAA+D;wBAC/D,0BAA0B;wBAC1B,+DAA+D;sBAJ9D;;oBARD,0EAA0E;oBAC1E,SAOC,CAAA;oBAKK,iBAAe,UAAC,SAAiB,IAAK,OAAA,CAAC;wBAC3C,SAAS,WAAA;wBAAE,UAAU,EAAE,gBAAS,IAAI,CAAC,GAAG,EAAE,CAAE,EAAE,MAAM,EAAE,cAAc;wBACpE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,SAAS;qBACxC,CAAC,EAH0C,CAG1C,CAAA;oBACF,qBAAM,UAAU,CACd,wDAAwD,EACxD,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,cAAc,CAAC,SAAS,CAAC,cAAY,CAAC,QAAS,CAAQ,CAAC,EAAxE,CAAwE,EAC9E,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,OAAO,KAAK,qBAAqB,EAAnC,CAAmC,EAAE,CACzE,EAAA;;oBAJD,SAIC,CAAA;oBACD,qBAAM,UAAU,CACd,sDAAsD,EACtD,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,cAAc,CAAC,SAAS,CAAC,cAAY,CAAC,UAAW,CAAQ,CAAC,EAA1E,CAA0E,EAChF,EAAE,QAAQ,EAAE,UAAC,CAAM,IAAO,IAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,EAAE;gCAAE,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,SAAS,MAAK,UAAU,CAAA,CAAC,CAAC,EAAE,CACxG,EAAA;;oBAJD,SAIC,CAAA;oBACD,qBAAM,UAAU,CACd,qDAAqD,EACrD,cAAM,OAAA,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,SAAS,CAAC,cAAY,CAAC,QAAS,CAAQ,CAAC,EAAhE,CAAgE,EACtE,EAAE,QAAQ,EAAE,UAAC,CAAM,IAAO,IAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,EAAE;gCAAE,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,SAAS,MAAK,QAAQ,CAAA,CAAC,CAAC,EAAE,CACtG;wBAED,+DAA+D;wBAC/D,mCAAmC;wBACnC,+DAA+D;sBAJ9D;;oBAJD,SAIC,CAAA;oBAED,+DAA+D;oBAC/D,mCAAmC;oBACnC,+DAA+D;oBAC/D,qBAAM,UAAU,CACd,uEAAuE,EACvE,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,uBAAuB,CAAC,SAAS,CAAC;4BACtD,KAAK,EAAE,gBAAgB,EAAE,WAAW,EAAE,GAAG,EAAE,0BAA0B,EAAE,IAAI;yBACrE,CAAC,EAFH,CAEG,EACT,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,OAAO,KAAK,sDAAsD,EAApE,CAAoE,EAAE,CAC1G,EAAA;;oBATD,+DAA+D;oBAC/D,mCAAmC;oBACnC,+DAA+D;oBAC/D,SAMC,CAAA;oBACD,qBAAM,UAAU,CACd,uDAAuD,EACvD,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,uBAAuB,CAAC,SAAS,CAAC;4BACtD,KAAK,EAAE,iBAAiB,EAAE,WAAW,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI;yBACtD,CAAC,EAFH,CAEG,EACT,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,OAAO,KAAK,sCAAsC,EAApD,CAAoD,EAAE,CAC1F,EAAA;;oBAND,SAMC,CAAA;oBACD,qBAAM,UAAU,CACd,gEAAgE,EAChE,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,uBAAuB,CAAC,SAAS,CAAC;4BACtD,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,GAAG,EAAE,SAAS,EAAE,QAAS;yBACtD,CAAC,EAFH,CAEG,EACT,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,OAAO,KAAK,qBAAqB,EAAnC,CAAmC,EAAE,CACzE,EAAA;;oBAND,SAMC,CAAA;oBACD,qBAAM,UAAU,CACd,mDAAmD,EACnD,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,uBAAuB,CAAC,SAAS,CAAC;4BACtD,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO;yBACjC,CAAC,EAFH,CAEG,EACT,EAAE,QAAQ,EAAE,UAAC,CAAM,IAAO,IAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,EAAE;gCAAE,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,UAAU,CAAA,IAAI,CAAC,CAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,0BAA0B,CAAA,CAAA,CAAC,CAAC,EAAE,CAC/H,EAAA;;oBAND,SAMC,CAAA;oBACD,qBAAM,UAAU,CACd,+CAA+C,EAC/C,cAAM,OAAA,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,SAAS,CAAC;4BAC9C,KAAK,EAAE,oBAAoB,EAAE,WAAW,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI;yBACzD,CAAC,EAFH,CAEG,EACT,EAAE,QAAQ,EAAE,UAAC,CAAM,IAAO,IAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,EAAE;gCAAE,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,UAAU,MAAK,IAAI,CAAA,CAAC,CAAC,EAAE,CACrG;wBAED,+DAA+D;wBAC/D,mFAAmF;wBACnF,+DAA+D;sBAJ9D;;oBAND,SAMC,CAAA;oBAKK,YAAU,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAA;oBAC/B,qBAAM,UAAU,CACd,wEAAwE,EACxE,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;4BACzC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,UAAW,EAAE,QAAS,CAAC,EAAE,OAAO,EAAE,CAAC,SAAO,CAAC;yBACpE,CAAC,EAFH,CAEG,EACT,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,OAAO,KAAK,6DAA6D,EAA3E,CAA2E,EAAE,CACjH;wBACD,6FAA6F;sBAD5F;;oBAND,SAMC,CAAA;oBACD,6FAA6F;oBAC7F,qBAAM,UAAU,CACd,2DAA2D,EAC3D,cAAM,OAAA,aAAW,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;4BACzC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,UAAW,CAAC,EAAE,OAAO,EAAE,CAAC,SAAO,CAAC;yBACzD,CAAC,EAFH,CAEG,EACT,EAAE,QAAQ,EAAE,UAAC,CAAM,gBAAO,IAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,EAAE;gCAAE,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAA,MAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,UAAU,0CAAE,MAAM,MAAK,CAAC,KAAI,MAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,OAAO,0CAAE,QAAQ,CAAC,SAAO,CAAC,CAAA,CAAA,CAAC,CAAC,EAAE,CACxI;wBACD,+DAA+D;sBAD9D;;oBAPD,6FAA6F;oBAC7F,SAMC,CAAA;oBACD,+DAA+D;oBAC/D,qBAAM,UAAU,CACd,8DAA8D,EAC9D,cAAM,OAAA,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;4BACjC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,UAAW,EAAE,QAAS,CAAC,EAAE,OAAO,EAAE,CAAC,SAAO,CAAC;yBACpE,CAAC,EAFH,CAEG,EACT,EAAE,QAAQ,EAAE,UAAC,CAAM,YAAO,IAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,EAAE;gCAAE,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAA,MAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,UAAU,0CAAE,MAAM,MAAK,CAAC,CAAA,CAAC,CAAC,EAAE,CACvG,EAAA;;oBAPD,+DAA+D;oBAC/D,SAMC,CAAA;;;0BAE8B,EAAd,iCAAc;;;yBAAd,CAAA,4BAAc,CAAA;oBAApB,EAAE;;;;oBACL,qBAAM,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC,EAAA;;oBAAtC,SAAsC,CAAA;;;;;;oBAD7B,IAAc,CAAA;;;0BAGG,EAAjB,uCAAiB;;;yBAAjB,CAAA,+BAAiB,CAAA;oBAAvB,EAAE;;;;oBACL,qBAAM,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,SAAS,CAAC,EAAE,CAAC,EAAA;;oBAAnD,SAAmD,CAAA;;;;;;oBAD1C,IAAiB,CAAA;;;0BAGI,EAArB,+CAAqB;;;yBAArB,CAAA,mCAAqB,CAAA;oBAA3B,EAAE;;;;oBACL,qBAAM,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC,SAAS,CAAC,EAAE,CAAC,EAAA;;oBAAhD,SAAgD,CAAA;;;;;;oBADvC,IAAqB,CAAA;;;0BAGN,EAAf,mCAAe;;;yBAAf,CAAA,6BAAe,CAAA;oBAArB,EAAE;;;;oBACL,qBAAM,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC,EAAA;;oBAA1C,SAA0C,CAAA;;;;;;oBADjC,IAAe,CAAA;;;yBAG5B,UAAU,EAAV,yBAAU;;;;oBAAU,qBAAM,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,EAAA;;oBAA5C,SAA4C,CAAA;;;;;;yBAChE,QAAQ,EAAR,yBAAQ;;;;oBAAU,qBAAM,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAA;;oBAA1C,SAA0C,CAAA;;;;;;;;;;CAEnE,CAAA;AAED,6CAA6C;AAC7C,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,OAAO,CAAC,GAAG,CAAC,sCAAqB,IAAI,CAAE,CAAC,CAAA;IACxC,IAAM,KAAG,GAAG,IAAI,OAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IACjC,IAAM,aAAW,GAAG,IAAI,OAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IAEzC,IAAM,QAAQ,GAAG;;;wBACf,qBAAM,WAAW,CAAC,KAAG,EAAE,aAAW,CAAC,EAAA;;oBAAnC,SAAmC,CAAA;oBACnC,qBAAM,0BAA0B,CAAC,EAAE,GAAG,OAAA,EAAE,WAAW,eAAA,EAAE,CAAC,EAAA;;oBAAtD,SAAsD,CAAA;;;;SACvD,CAAA;IAED,QAAQ,EAAE;SACP,IAAI,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,sFAAsF,CAAC,CAAA;QACnG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC;SACD,KAAK,CAAC,UAAC,KAAK;QACX,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,KAAK,CAAC,CAAA;QACjE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC,CAAA;CACL"}
@@ -0,0 +1,20 @@
1
+ import { Session } from "../../../sdk";
2
+ /**
3
+ * Regression test for F-0145
4
+ * (security-audit/findings/F-0145-globalunique-conflict-leaks-cross-tenant-record.md).
5
+ *
6
+ * The create endpoint generator's unconditional globalUnique-enforcement block
7
+ * (routing.ts, "globalUnique should be enforced even if _overrideUnique is true")
8
+ * threw uniquenessError([{ existingRecord: matches[0] }]) with the RAW matched record.
9
+ * `findSomeByMatchAny_Global` deletes businessId, so the match is global; for `users`
10
+ * (globalUnique: ['email','phone']) the 409 body leaked the full record incl. hashedPass.
11
+ *
12
+ * Fix: redact existingRecord to { _id, businessId } like the safe validateUniquenessConstraints
13
+ * path. This reproduces the leak with a same-tenant collision (same code path) and asserts the
14
+ * 409 body's existingRecord exposes nothing beyond _id + businessId.
15
+ */
16
+ export declare const globalunique_leak_tests: ({ sdk }: {
17
+ sdk: Session;
18
+ sdkNonAdmin: Session;
19
+ }) => Promise<void>;
20
+ //# sourceMappingURL=F-0145-globalunique-leak.test.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"F-0145-globalunique-leak.test.d.ts","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0145-globalunique-leak.test.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAStC;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,uBAAuB;SAA2B,OAAO;iBAAe,OAAO;mBA+B3F,CAAA"}
@@ -0,0 +1,135 @@
1
+ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
2
+ function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
3
+ return new (P || (P = Promise))(function (resolve, reject) {
4
+ function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
5
+ function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
6
+ function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
7
+ step((generator = generator.apply(thisArg, _arguments || [])).next());
8
+ });
9
+ };
10
+ var __generator = (this && this.__generator) || function (thisArg, body) {
11
+ var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
12
+ return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
13
+ function verb(n) { return function (v) { return step([n, v]); }; }
14
+ function step(op) {
15
+ if (f) throw new TypeError("Generator is already executing.");
16
+ while (g && (g = 0, op[0] && (_ = 0)), _) try {
17
+ if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
18
+ if (y = 0, t) op = [op[0] & 2, t.value];
19
+ switch (op[0]) {
20
+ case 0: case 1: t = op; break;
21
+ case 4: _.label++; return { value: op[1], done: false };
22
+ case 5: _.label++; y = op[1]; op = [0]; continue;
23
+ case 7: op = _.ops.pop(); _.trys.pop(); continue;
24
+ default:
25
+ if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
26
+ if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
27
+ if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
28
+ if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
29
+ if (t[2]) _.ops.pop();
30
+ _.trys.pop(); continue;
31
+ }
32
+ op = body.call(thisArg, _);
33
+ } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
34
+ if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
35
+ }
36
+ };
37
+ require('source-map-support').install();
38
+ import { Session } from "../../../sdk";
39
+ import { async_test, log_header, } from "@tellescope/testing";
40
+ import { setup_tests } from "../../setup";
41
+ var host = process.env.API_URL || 'http://localhost:8080';
42
+ /**
43
+ * Regression test for F-0145
44
+ * (security-audit/findings/F-0145-globalunique-conflict-leaks-cross-tenant-record.md).
45
+ *
46
+ * The create endpoint generator's unconditional globalUnique-enforcement block
47
+ * (routing.ts, "globalUnique should be enforced even if _overrideUnique is true")
48
+ * threw uniquenessError([{ existingRecord: matches[0] }]) with the RAW matched record.
49
+ * `findSomeByMatchAny_Global` deletes businessId, so the match is global; for `users`
50
+ * (globalUnique: ['email','phone']) the 409 body leaked the full record incl. hashedPass.
51
+ *
52
+ * Fix: redact existingRecord to { _id, businessId } like the safe validateUniquenessConstraints
53
+ * path. This reproduces the leak with a same-tenant collision (same code path) and asserts the
54
+ * 409 body's existingRecord exposes nothing beyond _id + businessId.
55
+ */
56
+ export var globalunique_leak_tests = function (_a) {
57
+ var sdk = _a.sdk;
58
+ return __awaiter(void 0, void 0, void 0, function () {
59
+ var userId, email_1, user, _b;
60
+ return __generator(this, function (_c) {
61
+ switch (_c.label) {
62
+ case 0:
63
+ log_header("F-0145: globalUnique conflict response redaction");
64
+ _c.label = 1;
65
+ case 1:
66
+ _c.trys.push([1, , 4, 9]);
67
+ email_1 = "f0145-victim-".concat(Date.now(), "@example.com");
68
+ return [4 /*yield*/, sdk.api.users.createOne({ email: email_1 })];
69
+ case 2:
70
+ user = _c.sent();
71
+ userId = user.id;
72
+ return [4 /*yield*/, async_test('F-0145: globalUnique 409 existingRecord exposes only _id + businessId (no email/hashedPass)', function () { return sdk.api.users.createOne({ email: email_1, _overrideUnique: true }); }, {
73
+ shouldError: true,
74
+ onError: function (e) {
75
+ var _a, _b;
76
+ var rec = (_b = (_a = e === null || e === void 0 ? void 0 : e.info) === null || _a === void 0 ? void 0 : _a[0]) === null || _b === void 0 ? void 0 : _b.existingRecord;
77
+ if (!rec || typeof rec !== 'object')
78
+ return false;
79
+ var keys = Object.keys(rec);
80
+ return (keys.length > 0
81
+ && keys.every(function (k) { return k === '_id' || k === 'businessId' || k === 'id'; })
82
+ && !('email' in rec)
83
+ && !('hashedPass' in rec)
84
+ && !('hashedInviteCode' in rec));
85
+ },
86
+ })];
87
+ case 3:
88
+ _c.sent();
89
+ return [3 /*break*/, 9];
90
+ case 4:
91
+ if (!userId) return [3 /*break*/, 8];
92
+ _c.label = 5;
93
+ case 5:
94
+ _c.trys.push([5, 7, , 8]);
95
+ return [4 /*yield*/, sdk.api.users.deleteOne(userId)];
96
+ case 6:
97
+ _c.sent();
98
+ return [3 /*break*/, 8];
99
+ case 7:
100
+ _b = _c.sent();
101
+ return [3 /*break*/, 8];
102
+ case 8: return [7 /*endfinally*/];
103
+ case 9: return [2 /*return*/];
104
+ }
105
+ });
106
+ });
107
+ };
108
+ if (require.main === module) {
109
+ console.log("\uD83C\uDF10 Using API URL: ".concat(host));
110
+ var sdk_1 = new Session({ host: host });
111
+ var sdkNonAdmin_1 = new Session({ host: host });
112
+ var runTests = function () { return __awaiter(void 0, void 0, void 0, function () {
113
+ return __generator(this, function (_a) {
114
+ switch (_a.label) {
115
+ case 0: return [4 /*yield*/, setup_tests(sdk_1, sdkNonAdmin_1)];
116
+ case 1:
117
+ _a.sent();
118
+ return [4 /*yield*/, globalunique_leak_tests({ sdk: sdk_1, sdkNonAdmin: sdkNonAdmin_1 })];
119
+ case 2:
120
+ _a.sent();
121
+ return [2 /*return*/];
122
+ }
123
+ });
124
+ }); };
125
+ runTests()
126
+ .then(function () {
127
+ console.log("✅ F-0145 globalUnique leak test suite completed successfully");
128
+ process.exit(0);
129
+ })
130
+ .catch(function (error) {
131
+ console.error("❌ F-0145 globalUnique leak test suite failed:", error);
132
+ process.exit(1);
133
+ });
134
+ }
135
+ //# sourceMappingURL=F-0145-globalunique-leak.test.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"F-0145-globalunique-leak.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0145-globalunique-leak.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,OAAO,CAAC,oBAAoB,CAAC,CAAC,OAAO,EAAE,CAAC;AAExC,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EACL,UAAU,EACV,UAAU,GACX,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAEzC,IAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,uBAAgC,CAAA;AAEpE;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,IAAM,uBAAuB,GAAG,UAAO,EAAgD;QAA9C,GAAG,SAAA;;;;;;oBACjD,UAAU,CAAC,kDAAkD,CAAC,CAAA;;;;oBAItD,UAAQ,uBAAgB,IAAI,CAAC,GAAG,EAAE,iBAAc,CAAA;oBACzC,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,KAAK,SAAA,EAAS,CAAC,EAAA;;oBAAtD,IAAI,GAAG,SAA+C;oBAC5D,MAAM,GAAG,IAAI,CAAC,EAAE,CAAA;oBAEhB,qBAAM,UAAU,CACd,6FAA6F,EAC7F,cAAM,OAAA,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,KAAK,SAAA,EAAE,eAAe,EAAE,IAAI,EAAS,CAAC,EAAhE,CAAgE,EACtE;4BACE,WAAW,EAAE,IAAI;4BACjB,OAAO,EAAE,UAAC,CAAM;;gCACd,IAAM,GAAG,GAAG,MAAA,MAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,IAAI,0CAAG,CAAC,CAAC,0CAAE,cAAc,CAAA;gCACxC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;oCAAE,OAAO,KAAK,CAAA;gCACjD,IAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gCAC7B,OAAO,CACL,IAAI,CAAC,MAAM,GAAG,CAAC;uCACZ,IAAI,CAAC,KAAK,CAAC,UAAA,CAAC,IAAI,OAAA,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,YAAY,IAAI,CAAC,KAAK,IAAI,EAA/C,CAA+C,CAAC;uCAChE,CAAC,CAAC,OAAO,IAAI,GAAG,CAAC;uCACjB,CAAC,CAAC,YAAY,IAAI,GAAG,CAAC;uCACtB,CAAC,CAAC,kBAAkB,IAAI,GAAG,CAAC,CAChC,CAAA;4BACH,CAAC;yBACF,CACF,EAAA;;oBAlBD,SAkBC,CAAA;;;yBAEG,MAAM,EAAN,wBAAM;;;;oBAAU,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,EAAA;;oBAArC,SAAqC,CAAA;;;;;;;;;;CAE5D,CAAA;AAED,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,OAAO,CAAC,GAAG,CAAC,sCAAqB,IAAI,CAAE,CAAC,CAAA;IACxC,IAAM,KAAG,GAAG,IAAI,OAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IACjC,IAAM,aAAW,GAAG,IAAI,OAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IAEzC,IAAM,QAAQ,GAAG;;;wBACf,qBAAM,WAAW,CAAC,KAAG,EAAE,aAAW,CAAC,EAAA;;oBAAnC,SAAmC,CAAA;oBACnC,qBAAM,uBAAuB,CAAC,EAAE,GAAG,OAAA,EAAE,WAAW,eAAA,EAAE,CAAC,EAAA;;oBAAnD,SAAmD,CAAA;;;;SACpD,CAAA;IAED,QAAQ,EAAE;SACP,IAAI,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAA;QAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC;SACD,KAAK,CAAC,UAAC,KAAK;QACX,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAA;QACrE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC,CAAA;CACL"}
@@ -0,0 +1,18 @@
1
+ import { Session } from "../../../sdk";
2
+ /**
3
+ * Regression test for F-0151
4
+ * (security-audit/findings/F-0151-load-inbox-data-endusers-unredacted.md).
5
+ *
6
+ * load_inbox_data serialized $lookup'ed endusers via convert_id_name only (NOT applyRedactions),
7
+ * so endusers.hashedPassword (redactions:['all']) leaked to staff sessions — while the sibling
8
+ * phone_calls in the same response correctly went through applyRedactions.
9
+ *
10
+ * Repro: create an enduser, set their portal password (→ hashedPassword), seed an inbound
11
+ * (logOnly) email so the enduser appears in the inbox join, then load_inbox_data as staff and
12
+ * assert the returned enduser entry has NO hashedPassword.
13
+ */
14
+ export declare const load_inbox_redaction_tests: ({ sdk }: {
15
+ sdk: Session;
16
+ sdkNonAdmin: Session;
17
+ }) => Promise<void>;
18
+ //# sourceMappingURL=F-0151-load-inbox-redaction.test.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"F-0151-load-inbox-redaction.test.d.ts","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0151-load-inbox-redaction.test.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAWtC;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,0BAA0B;SAA2B,OAAO;iBAAe,OAAO;mBAkC9F,CAAA"}