@thebookingkit/server 0.1.2 → 0.1.3

package/src/__tests__/auth.test.ts

@@ -1,111 +0,0 @@
-import { describe, it, expect, vi } from "vitest";
-import {
-  withAuth,
-  assertProviderOwnership,
-  assertCustomerAccess,
-  UnauthorizedError,
-  ForbiddenError,
-  type AuthAdapter,
-  type AuthUser,
-} from "../index.js";
-
-function mockAdapter(user: AuthUser | null): AuthAdapter {
-  return {
-    getCurrentUser: vi.fn().mockResolvedValue(user),
-    getSession: vi.fn().mockResolvedValue(user ? { user, expires: new Date() } : null),
-    verifyToken: vi.fn().mockResolvedValue(user),
-  };
-}
-
-function mockRequest(headers: Record<string, string> = {}): Request {
-  return new Request("http://localhost/api/test", {
-    headers: new Headers(headers),
-  });
-}
-
-describe("withAuth", () => {
-  it("injects user and calls handler on valid session", async () => {
-    const user: AuthUser = { id: "user1", email: "test@test.com" };
-    const adapter = mockAdapter(user);
-    const handler = vi.fn().mockResolvedValue(Response.json({ ok: true }));
-
-    const wrapped = withAuth(adapter, handler);
-    const response = await wrapped(mockRequest());
-
-    expect(response.status).toBe(200);
-    expect(handler).toHaveBeenCalledTimes(1);
-    const calledReq = handler.mock.calls[0][0];
-    expect(calledReq.user).toEqual(user);
-  });
-
-  it("returns 401 when no user is authenticated", async () => {
-    const adapter = mockAdapter(null);
-    // verifyToken also returns null
-    adapter.verifyToken = vi.fn().mockResolvedValue(null);
-    const handler = vi.fn();
-
-    const wrapped = withAuth(adapter, handler);
-    const response = await wrapped(mockRequest());
-
-    expect(response.status).toBe(401);
-    expect(handler).not.toHaveBeenCalled();
-  });
-
-  it("falls back to Bearer token when session returns null", async () => {
-    const user: AuthUser = { id: "user2", email: "api@test.com" };
-    const adapter = mockAdapter(null);
-    adapter.getCurrentUser = vi.fn().mockResolvedValue(null);
-    adapter.verifyToken = vi.fn().mockResolvedValue(user);
-
-    const handler = vi.fn().mockResolvedValue(Response.json({ ok: true }));
-    const wrapped = withAuth(adapter, handler);
-    const response = await wrapped(
-      mockRequest({ Authorization: "Bearer test-token-123" }),
-    );
-
-    expect(response.status).toBe(200);
-    expect(adapter.verifyToken).toHaveBeenCalledWith("test-token-123");
-  });
-
-  it("returns 403 when role does not match", async () => {
-    const user: AuthUser = {
-      id: "user3",
-      email: "member@test.com",
-      role: "customer",
-    };
-    const adapter = mockAdapter(user);
-    const handler = vi.fn();
-
-    const wrapped = withAuth(adapter, handler, { requiredRole: "admin" });
-    const response = await wrapped(mockRequest());
-
-    expect(response.status).toBe(403);
-    expect(handler).not.toHaveBeenCalled();
-  });
-});
-
-describe("assertProviderOwnership", () => {
-  it("does not throw when user IDs match", () => {
-    expect(() => assertProviderOwnership("user1", "user1")).not.toThrow();
-  });
-
-  it("throws ForbiddenError when user IDs do not match", () => {
-    expect(() => assertProviderOwnership("user1", "user2")).toThrow(
-      ForbiddenError,
-    );
-  });
-});
-
-describe("assertCustomerAccess", () => {
-  it("does not throw when emails match", () => {
-    expect(() =>
-      assertCustomerAccess("a@test.com", "a@test.com"),
-    ).not.toThrow();
-  });
-
-  it("throws ForbiddenError when emails do not match", () => {
-    expect(() =>
-      assertCustomerAccess("a@test.com", "b@test.com"),
-    ).toThrow(ForbiddenError);
-  });
-});

package/src/__tests__/concurrent-booking.test.ts

@@ -1,170 +0,0 @@
-import { describe, it, expect } from "vitest";
-import {
-  withSerializableRetry,
-  BookingConflictError,
-  SerializationRetryExhaustedError,
-} from "../index.js";
-
-/**
- * Concurrent booking simulation tests.
- *
- * These tests simulate the load test from E01-S04:
- * "50 concurrent booking attempts for the same slot yields exactly 1 confirmed
- *  booking, 0 unhandled serialization errors, and all other callers receive
- *  a clear conflict response within 2 seconds."
- *
- * Since we can't connect to a real Postgres in unit tests, we simulate the
- * database behavior with an in-memory "slot lock" that mimics the EXCLUDE
- * constraint (SQLSTATE 23P01) and serialization failures (SQLSTATE 40001).
- */
-
-/** Simulates a Postgres error with a SQLSTATE code */
-class PgError extends Error {
-  code: string;
-  constructor(message: string, code: string) {
-    super(message);
-    this.name = "PgError";
-    this.code = code;
-  }
-}
-
-describe("Concurrent Booking Simulation (E01-S04 Load Test)", () => {
-  it("50 concurrent attempts for the same slot: exactly 1 success, rest get conflict", async () => {
-    // Simulate a database slot that can only be booked once.
-    // The first successful INSERT wins; subsequent attempts get exclusion_violation.
-    let slotBooked = false;
-    let serializationFailureCount = 0;
-    const maxSimulatedSerializationFailures = 5; // simulate some contention
-
-    const attemptBooking = async (attemptId: number): Promise<string> => {
-      return withSerializableRetry(
-        async () => {
-          // Simulate random serialization failures under contention
-          if (
-            !slotBooked &&
-            serializationFailureCount < maxSimulatedSerializationFailures &&
-            Math.random() < 0.3
-          ) {
-            serializationFailureCount++;
-            throw new PgError("serialization failure", "40001");
-          }
-
-          // Simulate the EXCLUDE constraint check
-          if (slotBooked) {
-            throw new PgError(
-              "conflicting key value violates exclusion constraint",
-              "23P01",
-            );
-          }
-
-          // Race: first writer wins
-          slotBooked = true;
-          return `booking-${attemptId}`;
-        },
-        { maxRetries: 3, baseDelayMs: 10 },
-      );
-    };
-
-    const CONCURRENCY = 50;
-    const results = await Promise.allSettled(
-      Array.from({ length: CONCURRENCY }, (_, i) => attemptBooking(i)),
-    );
-
-    const successes = results.filter((r) => r.status === "fulfilled");
-    const failures = results.filter((r) => r.status === "rejected");
-
-    // Exactly 1 booking should succeed
-    expect(successes.length).toBe(1);
-
-    // All failures should be BookingConflictError (not unhandled errors)
-    for (const failure of failures) {
-      if (failure.status === "rejected") {
-        expect(failure.reason).toBeInstanceOf(BookingConflictError);
-      }
-    }
-
-    // Zero unhandled serialization errors
-    const serializationErrors = failures.filter(
-      (f) =>
-        f.status === "rejected" &&
-        f.reason instanceof SerializationRetryExhaustedError,
-    );
-    expect(serializationErrors.length).toBe(0);
-  });
-
-  it("completes all 50 attempts within 2 seconds", async () => {
-    let slotBooked = false;
-
-    const attemptBooking = async (attemptId: number): Promise<string> => {
-      return withSerializableRetry(
-        async () => {
-          if (slotBooked) {
-            throw new PgError(
-              "conflicting key value violates exclusion constraint",
-              "23P01",
-            );
-          }
-          slotBooked = true;
-          return `booking-${attemptId}`;
-        },
-        { maxRetries: 3, baseDelayMs: 10 },
-      );
-    };
-
-    const start = Date.now();
-
-    await Promise.allSettled(
-      Array.from({ length: 50 }, (_, i) => attemptBooking(i)),
-    );
-
-    const elapsed = Date.now() - start;
-    expect(elapsed).toBeLessThan(2000);
-  });
-
-  it("serialization failures are retried and can succeed on a different slot", async () => {
-    let attempt = 0;
-
-    const result = await withSerializableRetry(
-      async () => {
-        attempt++;
-        if (attempt <= 2) {
-          throw new PgError("serialization failure", "40001");
-        }
-        return "booking-success";
-      },
-      { maxRetries: 3, baseDelayMs: 10 },
-    );
-
-    expect(result).toBe("booking-success");
-    expect(attempt).toBe(3);
-  });
-
-  it("retries are exhausted after maxRetries serialization failures", async () => {
-    const fn = () =>
-      withSerializableRetry(
-        async () => {
-          throw new PgError("serialization failure", "40001");
-        },
-        { maxRetries: 3, baseDelayMs: 10 },
-      );
-
-    await expect(fn()).rejects.toThrow(SerializationRetryExhaustedError);
-  });
-
-  it("exclusion violation (slot taken) is never retried", async () => {
-    let callCount = 0;
-
-    const fn = () =>
-      withSerializableRetry(
-        async () => {
-          callCount++;
-          throw new PgError("exclusion constraint", "23P01");
-        },
-        { maxRetries: 3, baseDelayMs: 10 },
-      );
-
-    await expect(fn()).rejects.toThrow(BookingConflictError);
-    // Should NOT have retried — only 1 call
-    expect(callCount).toBe(1);
-  });
-});

package/src/__tests__/multi-tenancy.test.ts

@@ -1,267 +0,0 @@
-import { describe, it, expect } from "vitest";
-import {
-  resolveEffectiveSettings,
-  getRolePermissions,
-  roleHasPermission,
-  assertOrgPermission,
-  assertTenantScope,
-  buildOrgBookingUrl,
-  parseOrgBookingPath,
-  TenantAuthorizationError,
-  GLOBAL_DEFAULTS,
-  type OrgMember,
-  type OrgSettings,
-  type ProviderSettings,
-  type EventTypeSettings,
-} from "../multi-tenancy.js";
-
-// ---------------------------------------------------------------------------
-// resolveEffectiveSettings
-// ---------------------------------------------------------------------------
-
-describe("resolveEffectiveSettings", () => {
-  it("uses global defaults when no settings provided", () => {
-    const resolved = resolveEffectiveSettings();
-    expect(resolved.timezone).toBe(GLOBAL_DEFAULTS.timezone);
-    expect(resolved.currency).toBe(GLOBAL_DEFAULTS.currency);
-    expect(resolved.bufferMinutes).toBe(GLOBAL_DEFAULTS.bufferMinutes);
-    expect(resolved.branding).toEqual({});
-    expect(resolved.bookingLimits).toEqual({});
-  });
-
-  it("applies org settings over global defaults", () => {
-    const org: OrgSettings = {
-      defaultTimezone: "America/New_York",
-      defaultCurrency: "EUR",
-      branding: { primaryColor: "#6366f1" },
-    };
-
-    const resolved = resolveEffectiveSettings(org);
-    expect(resolved.timezone).toBe("America/New_York");
-    expect(resolved.currency).toBe("EUR");
-    expect(resolved.branding.primaryColor).toBe("#6366f1");
-  });
-
-  it("provider settings override org settings", () => {
-    const org: OrgSettings = {
-      defaultTimezone: "America/New_York",
-      defaultCurrency: "USD",
-    };
-    const provider: ProviderSettings = {
-      timezone: "Europe/London",
-      currency: "GBP",
-    };
-
-    const resolved = resolveEffectiveSettings(org, provider);
-    expect(resolved.timezone).toBe("Europe/London");
-    expect(resolved.currency).toBe("GBP");
-  });
-
-  it("event type settings override provider settings", () => {
-    const org: OrgSettings = { defaultTimezone: "UTC" };
-    const provider: ProviderSettings = { timezone: "America/New_York" };
-    const eventType: EventTypeSettings = { timezone: "Asia/Tokyo" };
-
-    const resolved = resolveEffectiveSettings(org, provider, eventType);
-    expect(resolved.timezone).toBe("Asia/Tokyo");
-  });
-
-  it("merges branding settings additively", () => {
-    const org: OrgSettings = {
-      branding: { primaryColor: "#000", logoUrl: "https://example.com/logo.png" },
-    };
-    const provider: ProviderSettings = {
-      branding: { primaryColor: "#fff" },
-    };
-
-    const resolved = resolveEffectiveSettings(org, provider);
-    expect(resolved.branding.primaryColor).toBe("#fff"); // provider overrides
-    expect(resolved.branding.logoUrl).toBe("https://example.com/logo.png"); // org preserved
-  });
-
-  it("merges booking limits additively", () => {
-    const org: OrgSettings = {
-      defaultBookingLimits: { maxPerDay: 5 },
-    };
-    const provider: ProviderSettings = {
-      bookingLimits: { maxPerWeek: 20 },
-    };
-
-    const resolved = resolveEffectiveSettings(org, provider);
-    expect(resolved.bookingLimits).toMatchObject({ maxPerDay: 5, maxPerWeek: 20 });
-  });
-
-  it("handles null settings gracefully", () => {
-    expect(() => resolveEffectiveSettings(null, null, null)).not.toThrow();
-  });
-});
-
-// ---------------------------------------------------------------------------
-// getRolePermissions
-// ---------------------------------------------------------------------------
-
-describe("getRolePermissions", () => {
-  it("owner has all permissions", () => {
-    const perms = getRolePermissions("owner");
-    expect(perms).toContain("manage:members");
-    expect(perms).toContain("manage:teams");
-    expect(perms).toContain("view:all-bookings");
-    expect(perms).toContain("manage:organization");
-    expect(perms).toContain("view:analytics");
-  });
-
-  it("admin has management permissions but not member management", () => {
-    const perms = getRolePermissions("admin");
-    expect(perms).toContain("manage:teams");
-    expect(perms).toContain("view:all-bookings");
-    expect(perms).not.toContain("manage:members");
-    expect(perms).not.toContain("manage:organization");
-  });
-
-  it("member has only own-resource permissions", () => {
-    const perms = getRolePermissions("member");
-    expect(perms).toContain("view:own-bookings");
-    expect(perms).toContain("manage:own-availability");
-    expect(perms).not.toContain("view:all-bookings");
-    expect(perms).not.toContain("manage:teams");
-  });
-});
-
-// ---------------------------------------------------------------------------
-// roleHasPermission
-// ---------------------------------------------------------------------------
-
-describe("roleHasPermission", () => {
-  it("returns true for permitted action", () => {
-    expect(roleHasPermission("owner", "manage:members")).toBe(true);
-  });
-
-  it("returns false for unpermitted action", () => {
-    expect(roleHasPermission("member", "manage:members")).toBe(false);
-  });
-
-  it("admin can view all bookings", () => {
-    expect(roleHasPermission("admin", "view:all-bookings")).toBe(true);
-  });
-});
-
-// ---------------------------------------------------------------------------
-// assertOrgPermission
-// ---------------------------------------------------------------------------
-
-describe("assertOrgPermission", () => {
-  const ownerMember: OrgMember = {
-    userId: "user-1",
-    organizationId: "org-1",
-    role: "owner",
-  };
-
-  const regularMember: OrgMember = {
-    userId: "user-2",
-    organizationId: "org-1",
-    role: "member",
-  };
-
-  it("does not throw for permitted action", () => {
-    expect(() =>
-      assertOrgPermission(ownerMember, "manage:members"),
-    ).not.toThrow();
-  });
-
-  it("throws for unpermitted action", () => {
-    expect(() =>
-      assertOrgPermission(regularMember, "manage:members"),
-    ).toThrow(TenantAuthorizationError);
-  });
-
-  it("throws with descriptive message", () => {
-    expect(() =>
-      assertOrgPermission(regularMember, "view:all-bookings"),
-    ).toThrow('"member"');
-  });
-});
-
-// ---------------------------------------------------------------------------
-// assertTenantScope
-// ---------------------------------------------------------------------------
-
-describe("assertTenantScope", () => {
-  it("does not throw when org IDs match", () => {
-    expect(() => assertTenantScope("org-1", "org-1")).not.toThrow();
-  });
-
-  it("does not throw when resource has no org ID", () => {
-    expect(() => assertTenantScope(null, "org-1")).not.toThrow();
-    expect(() => assertTenantScope(undefined, "org-1")).not.toThrow();
-  });
-
-  it("throws when org IDs don't match", () => {
-    expect(() => assertTenantScope("org-2", "org-1")).toThrow(
-      TenantAuthorizationError,
-    );
-    expect(() => assertTenantScope("org-2", "org-1")).toThrow(
-      "does not belong to the current organization",
-    );
-  });
-});
-
-// ---------------------------------------------------------------------------
-// buildOrgBookingUrl
-// ---------------------------------------------------------------------------
-
-describe("buildOrgBookingUrl", () => {
-  it("builds the correct URL", () => {
-    const url = buildOrgBookingUrl(
-      "acme-corp",
-      "dr-smith",
-      "consultation",
-      "https://booking.example.com",
-    );
-    expect(url).toBe(
-      "https://booking.example.com/acme-corp/dr-smith/consultation",
-    );
-  });
-});
-
-// ---------------------------------------------------------------------------
-// parseOrgBookingPath
-// ---------------------------------------------------------------------------
-
-describe("parseOrgBookingPath", () => {
-  it("parses valid path", () => {
-    const result = parseOrgBookingPath("/acme-corp/dr-smith/consultation");
-    expect(result).toEqual({
-      orgSlug: "acme-corp",
-      providerSlug: "dr-smith",
-      eventTypeSlug: "consultation",
-    });
-  });
-
-  it("returns null for invalid path", () => {
-    expect(parseOrgBookingPath("/only-two/segments")).toBeNull();
-    expect(parseOrgBookingPath("/too/many/path/segments")).toBeNull();
-    expect(parseOrgBookingPath("no-leading-slash")).toBeNull();
-  });
-
-  it("returns null for empty path", () => {
-    expect(parseOrgBookingPath("")).toBeNull();
-  });
-});
-
-// ---------------------------------------------------------------------------
-// GLOBAL_DEFAULTS
-// ---------------------------------------------------------------------------
-
-describe("GLOBAL_DEFAULTS", () => {
-  it("uses UTC timezone", () => {
-    expect(GLOBAL_DEFAULTS.timezone).toBe("UTC");
-  });
-
-  it("uses USD currency", () => {
-    expect(GLOBAL_DEFAULTS.currency).toBe("USD");
-  });
-
-  it("uses 0 buffer minutes", () => {
-    expect(GLOBAL_DEFAULTS.bufferMinutes).toBe(0);
-  });
-});

package/src/__tests__/serialization-retry.test.ts

@@ -1,76 +0,0 @@
-import { describe, it, expect, vi } from "vitest";
-import {
-  withSerializableRetry,
-  BookingConflictError,
-  SerializationRetryExhaustedError,
-} from "../index.js";
-
-function makePostgresError(code: string, message = "pg error") {
-  const err = new Error(message) as Error & { code: string };
-  err.code = code;
-  return err;
-}
-
-describe("withSerializableRetry", () => {
-  it("returns the result on success", async () => {
-    const result = await withSerializableRetry(async () => ({ id: "123" }));
-    expect(result).toEqual({ id: "123" });
-  });
-
-  it("throws BookingConflictError on exclusion violation (23P01)", async () => {
-    const fn = vi.fn().mockRejectedValue(makePostgresError("23P01"));
-
-    await expect(withSerializableRetry(fn)).rejects.toThrow(
-      BookingConflictError,
-    );
-    // Should NOT retry on exclusion violation
-    expect(fn).toHaveBeenCalledTimes(1);
-  });
-
-  it("retries on serialization failure (40001) and succeeds", async () => {
-    const fn = vi
-      .fn()
-      .mockRejectedValueOnce(makePostgresError("40001"))
-      .mockRejectedValueOnce(makePostgresError("40001"))
-      .mockResolvedValueOnce({ id: "456" });
-
-    const result = await withSerializableRetry(fn, {
-      maxRetries: 3,
-      baseDelayMs: 1, // fast for tests
-    });
-
-    expect(result).toEqual({ id: "456" });
-    expect(fn).toHaveBeenCalledTimes(3);
-  });
-
-  it("throws SerializationRetryExhaustedError when all retries fail", async () => {
-    const fn = vi.fn().mockRejectedValue(makePostgresError("40001"));
-
-    await expect(
-      withSerializableRetry(fn, { maxRetries: 2, baseDelayMs: 1 }),
-    ).rejects.toThrow(SerializationRetryExhaustedError);
-
-    // Initial attempt + 2 retries = 3 calls
-    expect(fn).toHaveBeenCalledTimes(3);
-  });
-
-  it("rethrows unknown errors without retrying", async () => {
-    const fn = vi.fn().mockRejectedValue(new Error("connection refused"));
-
-    await expect(withSerializableRetry(fn)).rejects.toThrow(
-      "connection refused",
-    );
-    expect(fn).toHaveBeenCalledTimes(1);
-  });
-
-  it("uses default options (3 retries, 50ms base delay)", async () => {
-    const fn = vi
-      .fn()
-      .mockRejectedValueOnce(makePostgresError("40001"))
-      .mockResolvedValueOnce("ok");
-
-    const result = await withSerializableRetry(fn);
-    expect(result).toBe("ok");
-    expect(fn).toHaveBeenCalledTimes(2);
-  });
-});