@tellescope/sdk 1.75.0 → 1.77.0

package/src/tests/tests.ts

@@ -140,6 +140,44 @@ const setup_tests = async () => {
     { expectedResult: 'Authenticated!' }
   )
 
+  // login rate limit tests
+  const badSDK = new Session({ host });
+  await badSDK.authenticate('bademail@tellescope.com', 'badpassword').catch(console.error)
+  await badSDK.authenticate('bademail@tellescope.com', 'badpassword').catch(console.error)
+  await badSDK.authenticate('bademail@tellescope.com', 'badpassword').catch(console.error)
+  await badSDK.authenticate('bademail@tellescope.com', 'badpassword').catch(console.error)
+  await badSDK.authenticate('bademail@tellescope.com', 'badpassword').catch(console.error)
+  await async_test(
+    'login rate limited', 
+    () => badSDK.authenticate('bademail@tellescope.com', 'badpassword@tellescope.com'),
+    { shouldError: true, onError: e => e.message === 'Too many login attempts' }
+  )
+  await async_test(
+    'login not rate limited for other user', 
+    () => sdk.authenticate(email, password),
+    passOnAnyResult
+  )
+
+  const badEnduserSDK = new EnduserSession({ host, businessId });
+  await badEnduserSDK.authenticate('bademail@tellescope.com', 'badpassword').catch(console.error)
+  await badEnduserSDK.authenticate('bademail@tellescope.com', 'badpassword').catch(console.error)
+  await badEnduserSDK.authenticate('bademail@tellescope.com', 'badpassword').catch(console.error)
+  await badEnduserSDK.authenticate('bademail@tellescope.com', 'badpassword').catch(console.error)
+  await badEnduserSDK.authenticate('bademail@tellescope.com', 'badpassword').catch(console.error)
+  await async_test(
+    'login rate limited', 
+    () => badEnduserSDK.authenticate('bademail@tellescope.com', 'badpassword@tellescope.com'),
+    { shouldError: true, onError: e => e.message === 'Too many login attempts' }
+  )
+  await async_test(
+    'login not rate limited for other enduser', 
+    () => badEnduserSDK.authenticate('otherbademail@tellescope.com', 'badpassword@tellescope.com'),
+    { shouldError: true, onError: e => e.message !== 'Too many login attempts' }
+  )
+
+  // prevent additional login throttling
+  await async_test('reset_db', () => sdk.reset_db(), passOnVoid)
+
   await sdk.logout()
   await async_test<string, string>('test_authenticated - (logout invalidates jwt)', sdk.test_authenticated, { shouldError: true, onError: e => e === 'Unauthenticated' })
   await sdk.authenticate(email, password)
@@ -319,8 +357,11 @@ const sub_organization_enduser_tests = async() => {
   log_header("Sub Organizations (Enduser-Facing Tests)")
 
   await enduserSDK.register({ email: 'root@tellescope.com', password })
+  await wait(undefined, 1000) // avoid rate limiting error
   await subEnduserSDK.register({ email: 'sub@tellescope.com', password })
+  await wait(undefined, 1000) // avoid rate limiting error
   await enduserSDK.authenticate('root@tellescope.com', password)
+  await wait(undefined, 1000) // avoid rate limiting error
   await subEnduserSDK.authenticate('sub@tellescope.com', password)
 
   assert(!enduserSDK.userInfo.organizationIds?.length, 'bad root organizationIds', 'root auth org ids')
@@ -4085,8 +4126,10 @@ export const self_serve_appointment_booking_tests = async () => {
 
   const e1 = await sdk.api.endusers.createOne({ email: 'sebass+ny@tellescope.com', state: 'NY' }) 
   const e2 = await sdk.api.endusers.createOne({ email: 'sebass+ca@tellescope.com', state: 'CA' })
+  const e3 = await sdk.api.endusers.createOne({ email: 'sebass+3@tellescope.com' })
   await sdk.api.endusers.set_password({ id: e1.id, password })
   await sdk.api.endusers.set_password({ id: e2.id, password })
+  await sdk.api.endusers.set_password({ id: e3.id, password })
   
   const event15min = await sdk.api.calendar_event_templates.createOne({ 
     title: 'test 2', durationInMinutes: 15,
@@ -4098,6 +4141,12 @@ export const self_serve_appointment_booking_tests = async () => {
     confirmationEmailDisabled: true,
     confirmationSMSDisabled: true,
   })
+  const event30minGroup = await sdk.api.calendar_event_templates.createOne({ 
+    title: 'test group', durationInMinutes: 30,
+    confirmationEmailDisabled: true,
+    confirmationSMSDisabled: true,
+    enduserAttendeeLimit: 2, 
+  })
 
   // ensure it doesn't match current day, to avoid errors on testing
   const dayOfWeekStartingSundayIndexedByZero = (new Date().getDay() + 1) % 7 
@@ -4135,6 +4184,12 @@ export const self_serve_appointment_booking_tests = async () => {
     replaceObjectFields: true,
   })
 
+  const enduserSDK2 = new EnduserSession({ host, businessId })
+  await enduserSDK2.authenticate('sebass+ca@tellescope.com', password).catch(console.error) 
+
+  const enduserSDK3 = new EnduserSession({ host, businessId })
+  await enduserSDK3.authenticate('sebass+3@tellescope.com', password).catch(console.error) 
+
   // NY Enduser Tests
   await enduserSDK.authenticate('sebass+ny@tellescope.com', password).catch(console.error) 
   await async_test(
@@ -4258,6 +4313,78 @@ export const self_serve_appointment_booking_tests = async () => {
     handleAnyError
   )
 
+  // test group bookings
+  await sdk.api.calendar_events.updateOne(conflict.id, { enduserAttendeeLimit: 2 })
+  await async_test(
+    '[group booking] different event type conflict as group still blocks availability',
+    () => enduserSDK.api.calendar_events.get_appointment_availability({
+      calendarEventTemplateId: event30minGroup.id,
+      from: new Date(Date.now() - 10000),
+      to: new Date(Date.now() + 3 * 24 * 60 * 60 * 1000),
+    }),
+    {  onResult: r => r.availabilityBlocks.length === 2 }, 
+  )
+  await sdk.api.calendar_events.deleteOne(conflict.id)
+  await async_test(
+    '[group booking] availability',
+    () => enduserSDK.api.calendar_events.get_appointment_availability({
+      calendarEventTemplateId: event30minGroup.id,
+      from: new Date(Date.now() - 10000),
+      to: new Date(Date.now() + 3 * 24 * 60 * 60 * 1000),
+    }),
+    {  onResult: r => r.availabilityBlocks.length === 3 }, 
+  )
+  const groupEvent = (await enduserSDK.api.calendar_events.book_appointment({
+    calendarEventTemplateId: event30minGroup.id,
+    startTime: new Date(nySlots.availabilityBlocks[1].startTimeInMS),
+    userId: nySlots.availabilityBlocks[1].userId, 
+  })).createdEvent
+  await async_test(
+    '[group booking] more booking allowed',
+    () => enduserSDK.api.calendar_events.get_appointment_availability({
+      calendarEventTemplateId: event30minGroup.id,
+      from: new Date(Date.now() - 10000),
+      to: new Date(Date.now() + 3 * 24 * 60 * 60 * 1000),
+    }),
+    {  onResult: r => r.availabilityBlocks.length === 3 }, 
+  )
+  await async_test(
+    '[group booking] prevent double-book same-enduser',
+    () => enduserSDK.api.calendar_events.book_appointment({
+      calendarEventTemplateId: event30minGroup.id,
+      startTime: new Date(nySlots.availabilityBlocks[1].startTimeInMS),
+      userId: nySlots.availabilityBlocks[1].userId, 
+    }),
+    handleAnyError
+  )
+  await async_test(
+    '[group booking] allow other enduser to book',
+    () => enduserSDK2.api.calendar_events.book_appointment({
+      calendarEventTemplateId: event30minGroup.id,
+      startTime: new Date(nySlots.availabilityBlocks[1].startTimeInMS),
+      userId: nySlots.availabilityBlocks[1].userId, 
+    }),
+    passOnAnyResult
+  )
+  await async_test(
+    '[group booking] no more booking allowed',
+    () => enduserSDK.api.calendar_events.get_appointment_availability({
+      calendarEventTemplateId: event30minGroup.id,
+      from: new Date(Date.now() - 10000),
+      to: new Date(Date.now() + 3 * 24 * 60 * 60 * 1000),
+    }),
+    {  onResult: r => r.availabilityBlocks.length === 2 }, 
+  )
+  await async_test(
+    '[group booking] other enduser cant book over capacity',
+    () => enduserSDK3.api.calendar_events.book_appointment({
+      calendarEventTemplateId: event30minGroup.id,
+      startTime: new Date(nySlots.availabilityBlocks[1].startTimeInMS),
+      userId: nySlots.availabilityBlocks[1].userId, 
+    }),
+    handleAnyError
+  )
+
   // test 'multi' flag for booking multiple providers for a given patient
   await sdk.api.users.updateOne(sdk.userInfo.id, { 
     weeklyAvailabilities: [
@@ -4341,11 +4468,13 @@ export const self_serve_appointment_booking_tests = async () => {
   await Promise.all([
     sdk.api.endusers.deleteOne(e1.id),
     sdk.api.endusers.deleteOne(e2.id),
+    sdk.api.endusers.deleteOne(e3.id),
     sdk.api.calendar_event_templates.deleteOne(event30min.id),
+    sdk.api.calendar_event_templates.deleteOne(event30minGroup.id),
     sdk.api.calendar_event_templates.deleteOne(event15min.id),
     sdk.api.calendar_events.deleteOne(bookedAppointment.id),
-    sdk.api.calendar_events.deleteOne(conflict.id),
     sdk.api.calendar_events.deleteOne(bookedMultiAppointment.id),
+    sdk.api.calendar_events.deleteOne(groupEvent.id),
   ])
 }
 
@@ -5954,6 +6083,8 @@ const validate_schema = () => {
       endpoints.add(path)
     }
   }
+
+  console.log("Schema validated")
 }
 
 const test_weighted_round_robin = async () => {
@@ -6519,8 +6650,8 @@ export const ticket_reminder_tests = async () => {
         && t.nextReminderInMS !== -1
         && t.reminders?.filter(r => r.didRemind)?.length === 1
       ),
-      25,
-      200,
+      10,
+      500,
     ),
     passOnAnyResult
   )  
@@ -6620,6 +6751,7 @@ const test_send_with_template = async () => {
 }
 
 const delete_user_tests = async () => {
+  log_header("Delete user tests")
   // delete if previous test failed and user still exists
   const existing = await sdk.api.users.getSome({ filter: { email: 'deleteme@tellescope.com'}})
   if (existing[0]?.email === 'deleteme@tellescope.com') {
@@ -6644,6 +6776,369 @@ const delete_user_tests = async () => {
     createdUserSDK.test_authenticated,
     handleAnyError
   )  
+
+  const enduser = await sdk.api.endusers.createOne({ })
+  const { authToken: enduserAuthToken } = await sdk.api.endusers.generate_auth_token({ id: enduser.id })
+  const enduserSDK = new EnduserSession({ host, businessId, authToken: enduserAuthToken })
+
+  await async_test(
+    "Enduser Authenticated",
+    () => enduserSDK.api.endusers.getSome(),
+    passOnAnyResult
+  )  
+
+  await sdk.api.endusers.deleteOne(enduser.id)
+  await wait(undefined, 250)
+  await async_test(
+    "Enduser De-authenticated after deletion",
+    () => enduserSDK.api.endusers.getSome(),
+    handleAnyError
+  )  
+}
+
+const sdkMfaApiKeyUserId = '6525a43e1e75f0350d62afc4'
+const lockout_tests = async () => {
+  log_header("Lockout tests")
+
+  await async_test(
+    "API Key is authenticated",
+    sdkMfaApiKey.test_authenticated,
+    passOnAnyResult,
+  )
+  await async_test(
+    "API Key lock to future date",
+    () => sdk.api.users.updateOne(sdkMfaApiKeyUserId, { lockedOutUntil: 0 }),
+    passOnAnyResult
+  )
+  await wait(undefined, 250)
+  await async_test(
+    "API Key is de-authenticated when locked",
+    sdkMfaApiKey.test_authenticated,
+    handleAnyError,
+  )
+  await async_test(
+    "API Key unlock to -1",
+    () => sdk.api.users.updateOne(sdkMfaApiKeyUserId, { lockedOutUntil: -1 }),
+    passOnAnyResult
+  )
+  await async_test(
+    "API Key is authenticated",
+    sdkMfaApiKey.test_authenticated,
+    passOnAnyResult,
+  )
+
+  const nonAdminId = sdkNonAdmin.userInfo.id
+  await async_test(
+    "users cannot update own lock status",
+    () => sdk.api.users.updateOne(sdk.userInfo.id, { lockedOutUntil: -1 }),
+    handleAnyError,
+  )
+  await async_test(
+    "non-admin can't lock out others",
+    () => sdkNonAdmin.api.users.updateOne(sdk.userInfo.id, { lockedOutUntil: Date.now() }),
+    handleAnyError
+  )
+  await async_test(
+    "non-admin is authenticated",
+    sdkNonAdmin.test_authenticated,
+    passOnAnyResult,
+  )
+  await async_test(
+    "admin unlock to -1",
+    () => sdk.api.users.updateOne(nonAdminId, { lockedOutUntil: -1 }),
+    passOnAnyResult,
+  )
+  await async_test(
+    "non-admin is authenticated (-1)",
+    sdkNonAdmin.test_authenticated,
+    passOnAnyResult,
+  )
+  await async_test(
+    "admin lock to past date",
+    () => sdk.api.users.updateOne(nonAdminId, { lockedOutUntil: Date.now() - 1000 }),
+    passOnAnyResult, 
+  )
+  await async_test(
+    "non-admin is authenticated (past date)",
+    sdkNonAdmin.test_authenticated,
+    passOnAnyResult,
+  )
+
+  await async_test(
+    "admin lock to 0 (indefinite)",
+    () => sdk.api.users.updateOne(nonAdminId, { lockedOutUntil: 0 }),
+    passOnAnyResult
+  )
+  await wait(undefined, 250)
+  await async_test(
+    "non-admin is de-authenticated when locked to 0",
+    sdkNonAdmin.test_authenticated,
+    handleAnyError,
+  )
+  await async_test(
+    "non-admin can't authenciate when locked to 0",
+    () => sdkNonAdmin.authenticate(nonAdminEmail, nonAdminPassword),
+    handleAnyError,
+  )
+  await async_test(
+    "admin unlock to -1",
+    () => sdk.api.users.updateOne(nonAdminId, { lockedOutUntil: -1 }),
+    passOnAnyResult
+  )
+  await async_test(
+    "non-admin can re authenciate when locked to 0",
+    () => sdkNonAdmin.authenticate(nonAdminEmail, nonAdminPassword),
+    passOnAnyResult,
+  )
+  await async_test(
+    "non-admin is authenticated",
+    sdkNonAdmin.test_authenticated,
+    passOnAnyResult,
+  )
+
+  await async_test(
+    "admin lock to future date",
+    () => sdk.api.users.updateOne(nonAdminId, { lockedOutUntil: Date.now() + 10000 }),
+    passOnAnyResult
+  )
+  await wait(undefined, 250)
+  await async_test(
+    "non-admin is de-authenticated when locked to future date",
+    sdkNonAdmin.test_authenticated,
+    handleAnyError,
+  )
+  await async_test(
+    "non-admin can't authenciate when locked to future date",
+    () => sdkNonAdmin.authenticate(nonAdminEmail, nonAdminPassword),
+    handleAnyError,
+  )
+  await async_test(
+    "admin unlock to -1",
+    () => sdk.api.users.updateOne(nonAdminId, { lockedOutUntil: -1 }),
+    passOnAnyResult
+  )
+  await async_test(
+    "non-admin can re authenciate when locked to future date",
+    () => sdkNonAdmin.authenticate(nonAdminEmail, nonAdminPassword),
+    passOnAnyResult,
+  )
+  await async_test(
+    "non-admin is authenticated",
+    sdkNonAdmin.test_authenticated,
+    passOnAnyResult,
+  )
+}
+
+const sync_tests = async () => {
+  log_header("Data Sync")
+
+  const from = new Date()
+
+  await async_test(
+    "No new records, admin",
+    () => sdk.sync({ from }),
+    { onResult: ({ results }) => results.length === 0 },
+  )
+  await async_test(
+    "No new records, non-admin",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 0 },
+  )
+
+  const e = await sdk.api.endusers.createOne({ })
+  await wait(undefined, 100)
+  await async_test(
+    "Enduser create, admin",
+    () => sdk.sync({ from }),
+    { onResult: ({ results }) => (
+      results.length === 1 
+      && results[0].modelName === 'endusers' 
+      && results[0].recordId === e.id 
+      && results[0].data.includes(e.id) 
+      && JSON.parse(results[0].data) // tests no error throwing
+    )},
+  )
+  await async_test(
+    "Enduser create, non-admin",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 0 },
+  )
+  await async_test(
+    "Enduser create, sub organization",
+    () => sdkSub.sync({ from }),
+    { onResult: ({ results }) => results.length === 0 },
+  )
+
+  await sdk.api.endusers.updateOne(e.id, { fname: "UPDATE_TEST"})
+  await wait(undefined, 100)
+  await async_test(
+    "Enduser update, admin",
+    () => sdk.sync({ from }),
+    { onResult: ({ results }) => (
+      results.length === 1 
+      && results[0].modelName === 'endusers' 
+      && results[0].recordId === e.id 
+      && results[0].data.includes("UPDATE_TEST") 
+    )},
+  )
+  await async_test(
+    "Enduser update, non-admin",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 0 },
+  )
+  await async_test(
+    "Enduser update, sub organization",
+    () => sdkSub.sync({ from }),
+    { onResult: ({ results }) => results.length === 0 },
+  )
+
+  const t = await sdk.api.tickets.createOne({ title: 'access test'  })
+  await wait(undefined, 100)
+  await async_test(
+    "Non-admin can't access ticket",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 0 },
+  )
+
+  // creates a user notification which increments count/index
+  sdk.api.tickets.updateOne(t.id, { owner: sdkNonAdmin.userInfo.id  })
+  await wait(undefined, 100)
+
+  await async_test(
+    "Non-admin can access tickets on assignment",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 2 },
+  )
+  sdk.api.tickets.updateOne(t.id, { owner: ''  })
+  await wait(undefined, 100)
+  await async_test(
+    "Non-admin can't access tickets on unassignment",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 1 }, // still includes user notification
+  )
+
+  await sdk.api.endusers.updateOne(e.id, { assignedTo: [sdkNonAdmin.userInfo.id] }, { replaceObjectFields: true })
+  await wait(undefined, 100)
+  await async_test(
+    "Enduser update non-admin assignment, can access",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 2 }, // enduser and ticket user notification
+  )
+
+  sdk.api.tickets.updateOne(t.id, { owner: '', enduserId: e.id  })
+  await wait(undefined, 100)
+  await async_test(
+    "Non-admin can access ticket (and enduser) after enduser assignment",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 3 },
+  )
+
+  await sdk.api.endusers.updateOne(e.id, { assignedTo: [] }, { replaceObjectFields: true })
+  await wait(undefined, 100)
+  await async_test(
+    "Enduser update non-admin assignment, revoked access to enduser and ticket",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 1 }, // still has user notification
+  )
+  
+  // enduser, ticket, and ticket assignment user_notification created
+  await sdk.api.endusers.deleteOne(e.id)
+  await wait(undefined, 100)
+  await async_test(
+    "Enduser delete, admin",
+    () => sdk.sync({ from }),
+    { onResult: ({ results }) => (
+      results.length === 3 
+      && results[0].modelName === 'endusers' 
+      && results[0].recordId === e.id 
+      && results[0].data === 'deleted' 
+    )},
+  )
+  await async_test(
+    "Enduser delete, non-admin",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 1 }, // still includes user notification
+  )
+  await async_test(
+    "Enduser delete, sub organization",
+    () => sdkSub.sync({ from }),
+    { onResult: ({ results }) => results.length === 0 },
+  )
+  
+  // bulk create test coverage
+  const [e2] = (await sdk.api.endusers.createSome([{ }])).created
+  await wait(undefined, 100)
+  await async_test(
+    "Bulk Enduser create, admin",
+    () => sdk.sync({ from }),
+    { onResult: ({ results }) => (
+      results.length === 4 
+      && results[0].modelName === 'endusers' 
+      && results[0].recordId === e2.id 
+      && results[0].data.includes(e2.id) 
+      && JSON.parse(results[0].data) // tests no error throwing
+    )},
+  )
+  await async_test(
+    "Bulk Enduser create, non-admin",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 1 }, // still includes user notification
+  )
+  await async_test(
+    "Bulk Enduser create, sub organization",
+    () => sdkSub.sync({ from }),
+    { onResult: ({ results }) => results.length === 0 },
+  )
+
+  await sdk.api.endusers.deleteOne(e2.id)
+  await wait(undefined, 100)
+  await async_test(
+    "Bulk Enduser delete, admin",
+    () => sdk.sync({ from }),
+    { onResult: ({ results }) => (
+      results.length === 4 
+      && results[0].modelName === 'endusers' 
+      && results[0].recordId === e2.id 
+      && results[0].data === 'deleted' 
+    )},
+  )
+  await async_test(
+    "Bulk Enduser delete, non-admin",
+    () => sdkNonAdmin.sync({ from }),
+    { onResult: ({ results }) => results.length === 1 }, // still includes user notification
+  )
+  await async_test(
+    "Bulk Enduser delete, sub organization",
+    () => sdkSub.sync({ from }),
+    { onResult: ({ results }) => results.length === 0 },
+  )
+}
+
+// to cover potential vulernabilities with enduser public register endpoint
+const register_as_enduser_tests = async () => {
+  log_header("Register as Enduser")
+
+  await async_test(
+    "Enduser register",
+    () => enduserSDK.register({ email: 'test@tellescope.com', password: 'testpassWord12345!' }),
+    passOnAnyResult
+  )
+  await async_test(
+    "Enduser register (rate limited)",
+    () => enduserSDK.register({ email: 'test@tellescope.com', password: 'testpassWord12345!' }),
+    { shouldError: true, onError: e => e.message === "Too many requests" }
+  )
+  await wait(undefined, 1000)
+  await async_test(
+    "Enduser duplicate register (same response, no ability to enumerate contacts)",
+    () => enduserSDK.register({ email: 'test@tellescope.com', password: 'testpassWord12345!' }),
+    passOnAnyResult
+  )
+
+  const enduser = await sdk.api.endusers.getOne({ email: 'test@tellescope.com'})
+  if (enduser) {
+    await sdk.api.endusers.deleteOne(enduser.id)
+  }
 }
 
 (async () => {
@@ -6669,6 +7164,7 @@ const delete_user_tests = async () => {
       sdkSubSub.authenticate(subSubUserEmail, password),
       sdkNonAdmin.authenticate(nonAdminEmail, nonAdminPassword),
     ]) 
+    console.log("Authentication done")
 
     // console.log(JSON.stringify(await sdk.bulk_load({ load: [{ model: 'users' }]}), null, 2))
  
@@ -6688,9 +7184,12 @@ const delete_user_tests = async () => {
     await mfa_tests()
     await setup_tests()
     await multi_tenant_tests() // should come right after setup tests
+    await register_as_enduser_tests()
+    await sync_tests()
+    await lockout_tests()
+    await self_serve_appointment_booking_tests()
     await delete_user_tests()
     // await test_send_with_template()
-    await self_serve_appointment_booking_tests()
     await bulk_read_tests()
     await ticket_reminder_tests()
     await enduser_access_tags_tests()