backend-manager 5.2.17 → 5.2.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/test/routes/user/signup.js +16 -7
package/package.json
CHANGED
|
@@ -446,11 +446,20 @@ module.exports = {
|
|
|
446
446
|
async run({ http, firestore, assert, accounts }) {
|
|
447
447
|
const uid = accounts['signup-merge'].uid;
|
|
448
448
|
|
|
449
|
-
//
|
|
450
|
-
//
|
|
449
|
+
// Capture the REAL api keys onCreate generated — the signup write must preserve these
|
|
450
|
+
// exactly (regenerating them would break the user's API access AND this test's auth,
|
|
451
|
+
// since http.as() authenticates with api.privateKey). We assert against the real values,
|
|
452
|
+
// NOT a seeded fake (seeding a fake privateKey would 401 the request).
|
|
453
|
+
const before = await firestore.get(`users/${uid}`);
|
|
454
|
+
const realClientId = before?.api?.clientId;
|
|
455
|
+
const realPrivateKey = before?.api?.privateKey;
|
|
456
|
+
const realAffiliateCode = before?.affiliate?.code;
|
|
457
|
+
|
|
458
|
+
// Seed adversarial NON-auth state the signup write must NOT clobber: a paid subscription,
|
|
459
|
+
// admin role, a custom non-schema field, and a deliberately PARTIAL attribution (only
|
|
460
|
+
// affiliate.code) to prove leaves get filled, not replaced-away. We do NOT touch api.* —
|
|
461
|
+
// that's the auth credential and is asserted-preserved via the captured real values.
|
|
451
462
|
await firestore.set(`users/${uid}`, {
|
|
452
|
-
api: { clientId: 'REAL-CLIENT-ID', privateKey: 'REAL-PRIVATE-KEY' },
|
|
453
|
-
affiliate: { code: 'REALAFFILIATECODE', referrals: [{ uid: 'someone' }] },
|
|
454
463
|
subscription: { product: { id: 'pro', name: 'Pro' }, status: 'active' },
|
|
455
464
|
roles: { admin: true, betaTester: false, developer: false },
|
|
456
465
|
attribution: { affiliate: { code: 'PARTIALONLY' } },
|
|
@@ -466,9 +475,9 @@ module.exports = {
|
|
|
466
475
|
const doc = await firestore.get(`users/${uid}`);
|
|
467
476
|
|
|
468
477
|
// (b) Existing real values must survive untouched — NOT regenerated/reset by the schema layer.
|
|
469
|
-
assert.equal(doc?.api?.clientId,
|
|
470
|
-
assert.equal(doc?.api?.privateKey,
|
|
471
|
-
assert.equal(doc?.affiliate?.code,
|
|
478
|
+
assert.equal(doc?.api?.clientId, realClientId, 'api.clientId must be preserved (not regenerated)');
|
|
479
|
+
assert.equal(doc?.api?.privateKey, realPrivateKey, 'api.privateKey must be preserved (not regenerated)');
|
|
480
|
+
assert.equal(doc?.affiliate?.code, realAffiliateCode, 'affiliate.code must be preserved (not regenerated)');
|
|
472
481
|
assert.equal(doc?.subscription?.product?.id, 'pro', 'subscription must be preserved (not reset to basic)');
|
|
473
482
|
assert.equal(doc?.roles?.admin, true, 'roles.admin must be preserved (not reset to false)');
|
|
474
483
|
|