@wopr-network/platform-core 1.68.0 → 1.70.0

package/src/server/routes/__tests__/crypto-webhook.test.ts

@@ -0,0 +1,167 @@
+import { describe, expect, it, vi } from "vitest";
+import type { CryptoServices } from "../../container.js";
+import { createTestContainer } from "../../test-container.js";
+import { type CryptoWebhookConfig, createCryptoWebhookRoutes } from "../crypto-webhook.js";
+
+// ---------------------------------------------------------------------------
+// Mock the key-server-webhook handler so we never hit real billing logic
+// ---------------------------------------------------------------------------
+
+vi.mock("../../../billing/crypto/key-server-webhook.js", () => ({
+  handleKeyServerWebhook: vi.fn().mockResolvedValue({
+    handled: true,
+    creditedCents: 500,
+  }),
+}));
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const SECRET = "test-provision-secret";
+const CRYPTO_KEY = "test-crypto-service-key";
+
+function makeConfig(overrides?: Partial<CryptoWebhookConfig>): CryptoWebhookConfig {
+  return {
+    provisionSecret: SECRET,
+    cryptoServiceKey: CRYPTO_KEY,
+    ...overrides,
+  };
+}
+
+function makeCrypto(): CryptoServices {
+  return {
+    chargeRepo: {} as never,
+    webhookSeenRepo: {} as never,
+  };
+}
+
+const validPayload = {
+  chargeId: "ch_123",
+  chain: "ETH",
+  address: "0xabc",
+  status: "confirmed",
+};
+
+function buildApp(opts?: { crypto?: CryptoServices | null; config?: Partial<CryptoWebhookConfig> }) {
+  const container = createTestContainer({
+    crypto: opts?.crypto !== undefined ? opts.crypto : makeCrypto(),
+  });
+  const config = makeConfig(opts?.config);
+  return createCryptoWebhookRoutes(container, config);
+}
+
+async function post(app: ReturnType<typeof buildApp>, body: unknown, headers?: Record<string, string>) {
+  const init: RequestInit = {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      ...headers,
+    },
+  };
+
+  if (body !== undefined) {
+    init.body = typeof body === "string" ? body : JSON.stringify(body);
+  }
+
+  return app.request("/", init);
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("createCryptoWebhookRoutes", () => {
+  // 1. No auth header
+  it("returns 401 without auth header", async () => {
+    const app = buildApp();
+    const res = await post(app, validPayload);
+
+    expect(res.status).toBe(401);
+    const json = await res.json();
+    expect(json.error).toBe("Unauthorized");
+  });
+
+  // 2. Wrong Bearer token
+  it("returns 401 with wrong Bearer token", async () => {
+    const app = buildApp();
+    const res = await post(app, validPayload, {
+      Authorization: "Bearer wrong-token",
+    });
+
+    expect(res.status).toBe(401);
+    const json = await res.json();
+    expect(json.error).toBe("Unauthorized");
+  });
+
+  // 3. Invalid JSON
+  it("returns 400 on invalid JSON", async () => {
+    const app = buildApp();
+    const res = await app.request("/", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${SECRET}`,
+      },
+      body: "not-valid-json{{{",
+    });
+
+    expect(res.status).toBe(400);
+    const json = await res.json();
+    expect(json.error).toBe("Invalid JSON");
+  });
+
+  // 4. Zod validation failure (missing required fields)
+  it("returns 400 on payload that fails Zod validation", async () => {
+    const app = buildApp();
+    const res = await post(
+      app,
+      { chargeId: "ch_123" }, // missing chain, address, status
+      { Authorization: `Bearer ${SECRET}` },
+    );
+
+    expect(res.status).toBe(400);
+    const json = await res.json();
+    expect(json.error).toBe("Invalid payload");
+    expect(json.issues).toBeDefined();
+    expect(json.issues.length).toBeGreaterThan(0);
+  });
+
+  // 5. Container crypto is null -> 501
+  it("returns 501 when container.crypto is null", async () => {
+    const app = buildApp({ crypto: null });
+    const res = await post(app, validPayload, {
+      Authorization: `Bearer ${SECRET}`,
+    });
+
+    expect(res.status).toBe(501);
+    const json = await res.json();
+    expect(json.error).toBe("Crypto payments not configured");
+  });
+
+  // 6. Valid Bearer matching provision secret
+  it("accepts valid Bearer token matching provision secret", async () => {
+    const app = buildApp();
+    const res = await post(app, validPayload, {
+      Authorization: `Bearer ${SECRET}`,
+    });
+
+    expect(res.status).toBe(200);
+    const json = await res.json();
+    expect(json.handled).toBe(true);
+    expect(json.creditedCents).toBe(500);
+  });
+
+  // 7. Valid Bearer matching crypto service key
+  it("accepts valid Bearer token matching crypto service key", async () => {
+    const app = buildApp();
+    const res = await post(app, validPayload, {
+      Authorization: `Bearer ${CRYPTO_KEY}`,
+    });
+
+    expect(res.status).toBe(200);
+    const json = await res.json();
+    expect(json.handled).toBe(true);
+    expect(json.creditedCents).toBe(500);
+  });
+});

package/src/server/routes/__tests__/provision-webhook.test.ts

@@ -0,0 +1,323 @@
+import { describe, expect, it, vi } from "vitest";
+import type { FleetServices } from "../../container.js";
+import { createTestContainer } from "../../test-container.js";
+import { createProvisionWebhookRoutes, type ProvisionWebhookConfig } from "../provision-webhook.js";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const SECRET = "test-provision-secret-1234";
+
+function makeConfig(overrides?: Partial<ProvisionWebhookConfig>): ProvisionWebhookConfig {
+  return {
+    provisionSecret: SECRET,
+    instanceImage: "ghcr.io/test/app:latest",
+    containerPort: 3000,
+    maxInstancesPerTenant: 5,
+    gatewayUrl: "http://gateway:4000",
+    containerPrefix: "test",
+    ...overrides,
+  };
+}
+
+function makeFleet(): FleetServices {
+  return {
+    manager: {
+      create: vi.fn().mockResolvedValue({
+        id: "inst-001",
+        containerId: "docker-abc",
+        containerName: "test-myapp",
+        url: "http://test-myapp:3000",
+        profile: { id: "inst-001", name: "myapp", tenantId: "tenant-1" },
+      }),
+      remove: vi.fn().mockResolvedValue(undefined),
+      status: vi.fn().mockResolvedValue({
+        id: "inst-001",
+        name: "myapp",
+        state: "running",
+      }),
+    } as never,
+    docker: {} as never,
+    proxy: {
+      addRoute: vi.fn().mockResolvedValue(undefined),
+      removeRoute: vi.fn(),
+      updateHealth: vi.fn(),
+      getRoutes: vi.fn().mockReturnValue([]),
+      start: vi.fn().mockResolvedValue(undefined),
+      stop: vi.fn().mockResolvedValue(undefined),
+      reload: vi.fn().mockResolvedValue(undefined),
+    },
+    profileStore: {
+      init: vi.fn().mockResolvedValue(undefined),
+      save: vi.fn().mockResolvedValue(undefined),
+      get: vi.fn().mockResolvedValue(null),
+      list: vi.fn().mockResolvedValue([]),
+      delete: vi.fn().mockResolvedValue(true),
+    },
+    serviceKeyRepo: {
+      generate: vi.fn().mockResolvedValue("key-abc"),
+      resolve: vi.fn().mockResolvedValue(null),
+      revokeByInstance: vi.fn().mockResolvedValue(undefined),
+      revokeByTenant: vi.fn().mockResolvedValue(undefined),
+    } as never,
+  };
+}
+
+function buildApp(opts?: { fleet?: FleetServices | null; config?: Partial<ProvisionWebhookConfig> }) {
+  const container = createTestContainer({
+    fleet: opts?.fleet !== undefined ? opts.fleet : makeFleet(),
+  });
+  const config = makeConfig(opts?.config);
+  return createProvisionWebhookRoutes(container, config);
+}
+
+async function request(
+  app: ReturnType<typeof buildApp>,
+  method: string,
+  path: string,
+  body?: unknown,
+  headers?: Record<string, string>,
+) {
+  const init: RequestInit = {
+    method,
+    headers: {
+      "Content-Type": "application/json",
+      ...headers,
+    },
+  };
+  if (body !== undefined) {
+    init.body = JSON.stringify(body);
+  }
+  return app.request(path, init);
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("createProvisionWebhookRoutes", () => {
+  // ---- Auth tests (apply to all endpoints) ----
+
+  it("returns 401 without authorization header", async () => {
+    const app = buildApp();
+    const res = await request(app, "POST", "/create", { tenantId: "t1", subdomain: "test" });
+
+    expect(res.status).toBe(401);
+    const json = await res.json();
+    expect(json.error).toBe("Unauthorized");
+  });
+
+  it("returns 401 with wrong secret", async () => {
+    const app = buildApp();
+    const res = await request(
+      app,
+      "POST",
+      "/create",
+      { tenantId: "t1", subdomain: "test" },
+      {
+        Authorization: "Bearer wrong-secret",
+      },
+    );
+
+    expect(res.status).toBe(401);
+    const json = await res.json();
+    expect(json.error).toBe("Unauthorized");
+  });
+
+  // ---- Fleet not configured ----
+
+  it("returns 501 when fleet not configured (container.fleet is null)", async () => {
+    const app = buildApp({ fleet: null });
+    const res = await request(
+      app,
+      "POST",
+      "/create",
+      { tenantId: "t1", subdomain: "test" },
+      {
+        Authorization: `Bearer ${SECRET}`,
+      },
+    );
+
+    expect(res.status).toBe(501);
+    const json = await res.json();
+    expect(json.error).toBe("Fleet management not configured");
+  });
+
+  it("returns 501 on destroy when fleet not configured", async () => {
+    const app = buildApp({ fleet: null });
+    const res = await request(
+      app,
+      "POST",
+      "/destroy",
+      { instanceId: "inst-001" },
+      {
+        Authorization: `Bearer ${SECRET}`,
+      },
+    );
+
+    expect(res.status).toBe(501);
+  });
+
+  it("returns 501 on budget when fleet not configured", async () => {
+    const app = buildApp({ fleet: null });
+    const res = await request(
+      app,
+      "PUT",
+      "/budget",
+      { instanceId: "inst-001", tenantEntityId: "te-1", budgetCents: 1000 },
+      { Authorization: `Bearer ${SECRET}` },
+    );
+
+    expect(res.status).toBe(501);
+  });
+
+  // ---- Create endpoint ----
+
+  it("handles create webhook with valid auth and payload", async () => {
+    const fleet = makeFleet();
+    const app = buildApp({ fleet });
+    const res = await request(
+      app,
+      "POST",
+      "/create",
+      { tenantId: "tenant-1", subdomain: "myapp" },
+      { Authorization: `Bearer ${SECRET}` },
+    );
+
+    expect(res.status).toBe(201);
+    const json = await res.json();
+    expect(json.ok).toBe(true);
+    expect(json.instanceId).toBe("inst-001");
+    expect(json.subdomain).toBe("myapp");
+    expect(json.containerUrl).toBe("http://test-myapp:3000");
+
+    // Verify fleet.create was called with generic env var names
+    expect(fleet.manager.create).toHaveBeenCalledTimes(1);
+    const createCall = (fleet.manager.create as ReturnType<typeof vi.fn>).mock.calls[0][0];
+    expect(createCall.env.HOSTED_MODE).toBe("true");
+    expect(createCall.env.DEPLOYMENT_MODE).toBe("hosted_proxy");
+    expect(createCall.env.DEPLOYMENT_EXPOSURE).toBe("private");
+    expect(createCall.env.MIGRATION_AUTO_APPLY).toBe("true");
+    // Verify NO product-specific prefixes
+    expect(createCall.env.PAPERCLIP_HOSTED_MODE).toBeUndefined();
+    expect(createCall.env.PAPERCLIP_DEPLOYMENT_MODE).toBeUndefined();
+
+    // Verify proxy route was registered
+    expect(fleet.proxy.addRoute).toHaveBeenCalledTimes(1);
+  });
+
+  it("returns 422 on create when required fields are missing", async () => {
+    const app = buildApp();
+    const res = await request(
+      app,
+      "POST",
+      "/create",
+      { tenantId: "tenant-1" }, // missing subdomain
+      { Authorization: `Bearer ${SECRET}` },
+    );
+
+    expect(res.status).toBe(422);
+    const json = await res.json();
+    expect(json.error).toContain("Missing required fields");
+  });
+
+  // ---- Destroy endpoint ----
+
+  it("handles destroy webhook with valid auth and instanceId", async () => {
+    const fleet = makeFleet();
+    const app = buildApp({ fleet });
+    const res = await request(
+      app,
+      "POST",
+      "/destroy",
+      { instanceId: "inst-001" },
+      { Authorization: `Bearer ${SECRET}` },
+    );
+
+    expect(res.status).toBe(200);
+    const json = await res.json();
+    expect(json.ok).toBe(true);
+
+    expect(fleet.serviceKeyRepo.revokeByInstance).toHaveBeenCalledWith("inst-001");
+    expect(fleet.manager.remove).toHaveBeenCalledWith("inst-001");
+    expect(fleet.proxy.removeRoute).toHaveBeenCalledWith("inst-001");
+  });
+
+  it("returns 422 on destroy when instanceId is missing", async () => {
+    const app = buildApp();
+    const res = await request(
+      app,
+      "POST",
+      "/destroy",
+      {},
+      {
+        Authorization: `Bearer ${SECRET}`,
+      },
+    );
+
+    expect(res.status).toBe(422);
+    const json = await res.json();
+    expect(json.error).toContain("Missing required field");
+  });
+
+  // ---- Budget endpoint ----
+
+  it("handles budget webhook with valid auth and payload", async () => {
+    const fleet = makeFleet();
+    const app = buildApp({ fleet });
+    const res = await request(
+      app,
+      "PUT",
+      "/budget",
+      { instanceId: "inst-001", tenantEntityId: "te-1", budgetCents: 5000 },
+      { Authorization: `Bearer ${SECRET}` },
+    );
+
+    expect(res.status).toBe(200);
+    const json = await res.json();
+    expect(json.ok).toBe(true);
+    expect(json.budgetCents).toBe(5000);
+  });
+
+  it("returns 422 on budget when required fields are missing", async () => {
+    const app = buildApp();
+    const res = await request(
+      app,
+      "PUT",
+      "/budget",
+      { instanceId: "inst-001" }, // missing tenantEntityId, budgetCents
+      { Authorization: `Bearer ${SECRET}` },
+    );
+
+    expect(res.status).toBe(422);
+    const json = await res.json();
+    expect(json.error).toContain("Missing required fields");
+  });
+
+  // ---- Generic env var names ----
+
+  it("uses generic env var names with no PAPERCLIP_ prefix anywhere", async () => {
+    const fleet = makeFleet();
+    const app = buildApp({ fleet });
+    await request(
+      app,
+      "POST",
+      "/create",
+      { tenantId: "tenant-1", subdomain: "myapp" },
+      { Authorization: `Bearer ${SECRET}` },
+    );
+
+    const createCall = (fleet.manager.create as ReturnType<typeof vi.fn>).mock.calls[0][0];
+    const envKeys = Object.keys(createCall.env);
+    for (const key of envKeys) {
+      expect(key).not.toMatch(/^PAPERCLIP_/);
+    }
+    // Verify expected generic names are present
+    expect(envKeys).toContain("HOSTED_MODE");
+    expect(envKeys).toContain("DEPLOYMENT_MODE");
+    expect(envKeys).toContain("DEPLOYMENT_EXPOSURE");
+    expect(envKeys).toContain("MIGRATION_AUTO_APPLY");
+    expect(envKeys).toContain("PROVISION_SECRET");
+  });
+});

package/src/server/routes/__tests__/stripe-webhook.test.ts

@@ -0,0 +1,73 @@
+import { Hono } from "hono";
+import { describe, expect, it, vi } from "vitest";
+
+import { createTestContainer } from "../../test-container.js";
+import { createStripeWebhookRoutes } from "../stripe-webhook.js";
+
+function makeApp(stripeOverride?: unknown) {
+  const container = createTestContainer(
+    stripeOverride !== undefined ? { stripe: stripeOverride as ReturnType<typeof createTestContainer>["stripe"] } : {},
+  );
+  const app = new Hono();
+  app.route("/api/webhooks/stripe", createStripeWebhookRoutes(container));
+  return app;
+}
+
+describe("stripe webhook route", () => {
+  it("returns 501 when stripe not configured", async () => {
+    const app = makeApp(null);
+    const res = await app.request("/api/webhooks/stripe", { method: "POST" });
+    expect(res.status).toBe(501);
+  });
+
+  it("returns 400 when stripe-signature header missing", async () => {
+    const app = makeApp({
+      stripe: {},
+      webhookSecret: "whsec_test",
+      customerRepo: {},
+      processor: { handleWebhook: vi.fn() },
+    });
+    const res = await app.request("/api/webhooks/stripe", {
+      method: "POST",
+      body: "{}",
+    });
+    expect(res.status).toBe(400);
+    const body = await res.json();
+    expect(body.error).toBe("Missing stripe-signature header");
+  });
+
+  it("returns 200 on valid webhook", async () => {
+    const handleWebhook = vi.fn().mockResolvedValue({ handled: true, event_type: "checkout.session.completed" });
+    const app = makeApp({
+      stripe: {},
+      webhookSecret: "whsec_test",
+      customerRepo: {},
+      processor: { handleWebhook },
+    });
+    const res = await app.request("/api/webhooks/stripe", {
+      method: "POST",
+      headers: { "stripe-signature": "t=123,v1=abc" },
+      body: '{"type":"checkout.session.completed"}',
+    });
+    expect(res.status).toBe(200);
+    expect(handleWebhook).toHaveBeenCalledOnce();
+  });
+
+  it("returns 400 when processor throws (bad signature)", async () => {
+    const handleWebhook = vi.fn().mockRejectedValue(new Error("Signature verification failed"));
+    const app = makeApp({
+      stripe: {},
+      webhookSecret: "whsec_test",
+      customerRepo: {},
+      processor: { handleWebhook },
+    });
+    const res = await app.request("/api/webhooks/stripe", {
+      method: "POST",
+      headers: { "stripe-signature": "t=123,v1=bad" },
+      body: "invalid",
+    });
+    expect(res.status).toBe(400);
+    const body = await res.json();
+    expect(body.error).toBe("Webhook processing failed");
+  });
+});