backend-manager 5.9.6 → 5.9.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +5 -3
- package/src/manager/events/cron/runner.js +0 -1
- package/src/manager/libraries/email/data/disposable-domains.json +21 -0
- package/src/test/fixtures/firebase-project/.temp/test-mode.json +1 -1
- package/src/test/fixtures/firebase-project/database-debug.log +8 -8
- package/src/test/fixtures/firebase-project/firestore-debug.log +55 -59
- package/src/test/fixtures/firebase-project/pubsub-debug.log +3 -3
- package/templates/_.env +42 -0
- package/templates/_.gitignore +60 -0
- package/templates/backend-manager-config.json +249 -0
- package/templates/database.rules.json +83 -0
- package/templates/firebase.json +66 -0
- package/templates/firestore.indexes.json +4 -0
- package/templates/firestore.rules +112 -0
- package/templates/public/404.html +26 -0
- package/templates/public/index.html +24 -0
- package/templates/remoteconfig.template.json +1 -0
- package/templates/storage-lifecycle-config-1-day.json +9 -0
- package/templates/storage-lifecycle-config-30-days.json +9 -0
- package/templates/storage.rules +8 -0
- package/test/_init/accounts-validation.js +58 -0
- package/test/_legacy/ai/index.js +231 -0
- package/test/_legacy/ai/test.jpg +0 -0
- package/test/_legacy/ai/test.pdf +0 -0
- package/test/_legacy/index.js +31 -0
- package/test/_legacy/payment-resolver/chargebee/orders/refunded.json +0 -0
- package/test/_legacy/payment-resolver/chargebee/orders/unpaid.json +98 -0
- package/test/_legacy/payment-resolver/chargebee/subscriptions/active.json +578 -0
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-in-trial.json +38 -0
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-skipped-to-active.json +135 -0
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active-to-cancelled.json +42 -0
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active.json +44 -0
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-cancelled.json +39 -0
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-refund.json +143 -0
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-suspended.json +48 -0
- package/test/_legacy/payment-resolver/coinbase/orders/regular.json +204 -0
- package/test/_legacy/payment-resolver/coinbase/subscriptions/cancelled.json +204 -0
- package/test/_legacy/payment-resolver/coinbase/subscriptions/paid-2.json +125 -0
- package/test/_legacy/payment-resolver/index.js +1558 -0
- package/test/_legacy/payment-resolver/paypal/orders/refunded.json +0 -0
- package/test/_legacy/payment-resolver/paypal/orders/regular.json +120 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/active-refund-previous-stmnt.json +323 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/active.json +192 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-in-trial.json +125 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-not-complete.json +76 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue-2.json +114 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue.json +114 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active-to-cancelled.json +111 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active.json +132 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-cancelled.json +107 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-expired.json +91 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-refund.json +147 -0
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-suspended.json +120 -0
- package/test/_legacy/payment-resolver/stripe/orders/refunded.json +0 -0
- package/test/_legacy/payment-resolver/stripe/orders/regular.json +91 -0
- package/test/_legacy/payment-resolver/stripe/subscriptions/active.json +421 -0
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-in-trial.json +349 -0
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active-failed-authorization.json +430 -0
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active.json +319 -0
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-cancelled.json +319 -0
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-refund.json +414 -0
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-suspended.json +319 -0
- package/test/_legacy/payment-resolver/stripe/subscriptions/unsure.json +339 -0
- package/test/_legacy/test-new +1178 -0
- package/test/_legacy/test.md +89 -0
- package/test/_legacy/usage.js +175 -0
- package/test/_legacy/user.js +31 -0
- package/test/ai/tools-live.js +170 -0
- package/test/boot/emulator-boots.js +37 -0
- package/test/content/blog-generate.js +160 -0
- package/test/email/campaign-send.js +45 -0
- package/test/email/consent-lifecycle.js +257 -0
- package/test/email/feedback-and-plain-send.js +52 -0
- package/test/email/fixtures/clean.json +30 -0
- package/test/email/fixtures/editorial.json +30 -0
- package/test/email/fixtures/field-report.json +53 -0
- package/test/email/marketing-lifecycle.js +132 -0
- package/test/email/newsletter-generate.js +819 -0
- package/test/email/newsletter-templates.js +491 -0
- package/test/email/templates.js +207 -0
- package/test/email/transactional-send.js +34 -0
- package/test/email/transactional.js +560 -0
- package/test/email/validation.js +710 -0
- package/test/events/auth-delete-race.js +201 -0
- package/test/events/payments/journey-payments-cancel-endpoint.js +100 -0
- package/test/events/payments/journey-payments-cancel.js +182 -0
- package/test/events/payments/journey-payments-discount.js +89 -0
- package/test/events/payments/journey-payments-failure.js +146 -0
- package/test/events/payments/journey-payments-legacy-product.js +149 -0
- package/test/events/payments/journey-payments-one-time-failure.js +111 -0
- package/test/events/payments/journey-payments-one-time.js +136 -0
- package/test/events/payments/journey-payments-plan-change.js +144 -0
- package/test/events/payments/journey-payments-refund-webhook.js +180 -0
- package/test/events/payments/journey-payments-suspend.js +181 -0
- package/test/events/payments/journey-payments-trial-cancel.js +130 -0
- package/test/events/payments/journey-payments-trial.js +171 -0
- package/test/events/payments/journey-payments-uid-resolution.js +132 -0
- package/test/events/payments/journey-payments-upgrade.js +135 -0
- package/test/fixtures/chargebee/invoice-one-time.json +27 -0
- package/test/fixtures/chargebee/subscription-active.json +44 -0
- package/test/fixtures/chargebee/subscription-cancelled.json +42 -0
- package/test/fixtures/chargebee/subscription-in-trial.json +41 -0
- package/test/fixtures/chargebee/subscription-legacy-plan.json +41 -0
- package/test/fixtures/chargebee/subscription-non-renewing.json +41 -0
- package/test/fixtures/chargebee/subscription-paused.json +42 -0
- package/test/fixtures/chargebee/webhook-payment-failed.json +51 -0
- package/test/fixtures/chargebee/webhook-subscription-created.json +47 -0
- package/test/fixtures/paypal/order-approved.json +62 -0
- package/test/fixtures/paypal/order-completed.json +110 -0
- package/test/fixtures/paypal/subscription-active.json +76 -0
- package/test/fixtures/paypal/subscription-cancelled.json +50 -0
- package/test/fixtures/paypal/subscription-suspended.json +65 -0
- package/test/fixtures/stripe/checkout-session-completed.json +130 -0
- package/test/fixtures/stripe/invoice-payment-failed.json +148 -0
- package/test/fixtures/stripe/invoice-subscription-payment-failed.json +28 -0
- package/test/fixtures/stripe/subscription-active.json +161 -0
- package/test/fixtures/stripe/subscription-canceled.json +161 -0
- package/test/fixtures/stripe/subscription-trialing.json +161 -0
- package/test/functions/admin/database-read.js +134 -0
- package/test/functions/admin/database-write.js +159 -0
- package/test/functions/admin/edit-post.js +366 -0
- package/test/functions/admin/firestore-query.js +207 -0
- package/test/functions/admin/firestore-read.js +129 -0
- package/test/functions/admin/firestore-write.js +105 -0
- package/test/functions/admin/get-stats.js +115 -0
- package/test/functions/admin/send-email.js +119 -0
- package/test/functions/admin/send-notification.js +208 -0
- package/test/functions/admin/write-repo-content.js +223 -0
- package/test/functions/general/add-marketing-contact.js +335 -0
- package/test/functions/general/fetch-post.js +54 -0
- package/test/functions/general/generate-uuid.js +114 -0
- package/test/functions/test/authenticate.js +64 -0
- package/test/functions/user/create-custom-token.js +73 -0
- package/test/functions/user/delete.js +135 -0
- package/test/functions/user/get-active-sessions.js +111 -0
- package/test/functions/user/get-subscription-info.js +99 -0
- package/test/functions/user/regenerate-api-keys.js +156 -0
- package/test/functions/user/resolve.js +52 -0
- package/test/functions/user/sign-out-all-sessions.js +94 -0
- package/test/functions/user/sign-up.js +252 -0
- package/test/functions/user/submit-feedback.js +104 -0
- package/test/functions/user/validate-settings.js +82 -0
- package/test/helpers/ai-request-payload.js +300 -0
- package/test/helpers/ai-test-provider.js +202 -0
- package/test/helpers/ai-tools-format.js +383 -0
- package/test/helpers/content/blog-auto-publisher.js +484 -0
- package/test/helpers/content/feed-parser.js +528 -0
- package/test/helpers/content/ghostii-blocks.js +134 -0
- package/test/helpers/content/ghostii-feed-integration.js +404 -0
- package/test/helpers/content/ghostii-write-article.js +243 -0
- package/test/helpers/environment.js +230 -0
- package/test/helpers/infer-contact.js +113 -0
- package/test/helpers/merge-line-files.js +271 -0
- package/test/helpers/payment/chargebee/parse-webhook.js +413 -0
- package/test/helpers/payment/chargebee/to-unified-one-time.js +147 -0
- package/test/helpers/payment/chargebee/to-unified-subscription.js +648 -0
- package/test/helpers/payment/paypal/parse-webhook.js +539 -0
- package/test/helpers/payment/paypal/to-unified-one-time.js +382 -0
- package/test/helpers/payment/paypal/to-unified-subscription.js +820 -0
- package/test/helpers/payment/stripe/parse-webhook.js +447 -0
- package/test/helpers/payment/stripe/to-unified-one-time.js +306 -0
- package/test/helpers/payment/stripe/to-unified-subscription.js +708 -0
- package/test/helpers/sanitize.js +222 -0
- package/test/helpers/slugify.js +394 -0
- package/test/helpers/storage.js +194 -0
- package/test/helpers/user.js +755 -0
- package/test/helpers/webhook-forward.js +418 -0
- package/test/mcp/discovery.js +53 -0
- package/test/mcp/oauth.js +161 -0
- package/test/mcp/protocol.js +268 -0
- package/test/mcp/roles.js +188 -0
- package/test/mcp/utils.js +245 -0
- package/test/routes/admin/create-post.js +364 -0
- package/test/routes/admin/database.js +131 -0
- package/test/routes/admin/deduplicate-image-alts.js +190 -0
- package/test/routes/admin/email.js +114 -0
- package/test/routes/admin/firestore-query.js +204 -0
- package/test/routes/admin/firestore.js +127 -0
- package/test/routes/admin/infer-contact.js +218 -0
- package/test/routes/admin/notification.js +198 -0
- package/test/routes/admin/post-resize-image.js +184 -0
- package/test/routes/admin/post.js +368 -0
- package/test/routes/admin/repo-content.js +223 -0
- package/test/routes/admin/stats.js +112 -0
- package/test/routes/content/post.js +54 -0
- package/test/routes/general/uuid.js +115 -0
- package/test/routes/marketing/campaign.js +125 -0
- package/test/routes/marketing/contact.js +370 -0
- package/test/routes/marketing/email-preferences.js +292 -0
- package/test/routes/marketing/push-send.js +32 -0
- package/test/routes/marketing/webhook-forward.js +61 -0
- package/test/routes/marketing/webhook.js +639 -0
- package/test/routes/payments/cancel.js +163 -0
- package/test/routes/payments/discount.js +80 -0
- package/test/routes/payments/dispute-alert.js +320 -0
- package/test/routes/payments/intent.js +336 -0
- package/test/routes/payments/portal.js +92 -0
- package/test/routes/payments/refund.js +179 -0
- package/test/routes/payments/trial-eligibility.js +71 -0
- package/test/routes/payments/webhook.js +107 -0
- package/test/routes/test/authenticate.js +59 -0
- package/test/routes/test/schema.js +554 -0
- package/test/routes/test/usage.js +342 -0
- package/test/routes/user/api-keys.js +156 -0
- package/test/routes/user/delete.js +136 -0
- package/test/routes/user/feedback.js +104 -0
- package/test/routes/user/sessions.js +199 -0
- package/test/routes/user/settings-validate.js +82 -0
- package/test/routes/user/signup.js +542 -0
- package/test/routes/user/subscription.js +99 -0
- package/test/routes/user/token.js +73 -0
- package/test/routes/user/user.js +157 -0
- package/test/rules/notifications.js +410 -0
- package/test/rules/payments-carts.js +371 -0
- package/test/rules/user.js +396 -0
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* User deletion flow tests
|
|
3
|
+
* Tests:
|
|
4
|
+
* - Users with active subscriptions cannot delete themselves
|
|
5
|
+
* - Users cannot delete other users
|
|
6
|
+
* - Users can delete themselves after subscription is removed
|
|
7
|
+
* - Admins can delete any user
|
|
8
|
+
*/
|
|
9
|
+
module.exports = {
|
|
10
|
+
description: 'User deletion flow',
|
|
11
|
+
type: 'suite',
|
|
12
|
+
|
|
13
|
+
tests: [
|
|
14
|
+
// --- Self-deletion tests ---
|
|
15
|
+
{
|
|
16
|
+
name: 'verify-delete-user-exists',
|
|
17
|
+
async run({ firestore, assert, state, accounts }) {
|
|
18
|
+
// Get the delete test account uid
|
|
19
|
+
state.deleteUid = accounts.delete.uid;
|
|
20
|
+
|
|
21
|
+
// Verify the user doc exists
|
|
22
|
+
const userDoc = await firestore.get(`users/${state.deleteUid}`);
|
|
23
|
+
|
|
24
|
+
assert.ok(userDoc, 'Delete user doc should exist before deletion');
|
|
25
|
+
assert.ok(userDoc?.auth?.uid === state.deleteUid, 'User doc should have correct uid');
|
|
26
|
+
},
|
|
27
|
+
},
|
|
28
|
+
|
|
29
|
+
{
|
|
30
|
+
name: 'delete-blocked-with-subscription',
|
|
31
|
+
async run({ http, assert }) {
|
|
32
|
+
// Auth as the delete user and try to delete themselves
|
|
33
|
+
// Should be blocked due to active subscription
|
|
34
|
+
const deleteResponse = await http.as('delete').command('user:delete', {});
|
|
35
|
+
|
|
36
|
+
assert.isError(deleteResponse, 400, 'Deletion should be blocked with active subscription');
|
|
37
|
+
assert.ok(
|
|
38
|
+
deleteResponse.error?.includes('paid subscription'),
|
|
39
|
+
`Error should mention paid subscription: ${deleteResponse.error}`,
|
|
40
|
+
);
|
|
41
|
+
},
|
|
42
|
+
},
|
|
43
|
+
|
|
44
|
+
// NOTE: The user:delete API ignores the payload uid parameter for non-admin users.
|
|
45
|
+
// It always uses the authenticated user's uid from resolveUser().
|
|
46
|
+
// This means non-admins cannot delete other users by design - the uid param is simply ignored.
|
|
47
|
+
// A test for "delete other user blocked" would be misleading since it would actually
|
|
48
|
+
// try to delete the authenticated user (basic), not the target user.
|
|
49
|
+
// If we want to explicitly block this, the API should be updated to check payload.uid
|
|
50
|
+
// against user.auth.uid and return a 403 if they don't match.
|
|
51
|
+
|
|
52
|
+
{
|
|
53
|
+
name: 'remove-subscription-from-delete-user',
|
|
54
|
+
async run({ firestore, state }) {
|
|
55
|
+
// Remove the subscription (set to null to overwrite)
|
|
56
|
+
await firestore.set(`users/${state.deleteUid}`, { subscription: null }, { merge: true });
|
|
57
|
+
},
|
|
58
|
+
},
|
|
59
|
+
|
|
60
|
+
{
|
|
61
|
+
name: 'delete-user-succeeds',
|
|
62
|
+
async run({ http, assert }) {
|
|
63
|
+
// Auth as the delete user and delete themselves
|
|
64
|
+
const deleteResponse = await http.as('delete').command('user:delete', {});
|
|
65
|
+
|
|
66
|
+
assert.isSuccess(deleteResponse, `user:delete should succeed: ${JSON.stringify(deleteResponse, null, 2)}`);
|
|
67
|
+
},
|
|
68
|
+
},
|
|
69
|
+
|
|
70
|
+
{
|
|
71
|
+
name: 'verify-firestore-doc-deleted',
|
|
72
|
+
async run({ firestore, assert, state, waitFor }) {
|
|
73
|
+
// on-delete handler deletes Firestore doc when Auth user is deleted
|
|
74
|
+
// Wait for the deletion to complete
|
|
75
|
+
const docDeleted = await waitFor(async () => {
|
|
76
|
+
const userDoc = await firestore.get(`users/${state.deleteUid}`);
|
|
77
|
+
return !userDoc;
|
|
78
|
+
}, 10000, 500);
|
|
79
|
+
|
|
80
|
+
assert.ok(docDeleted, 'Firestore doc should be deleted after Auth user deletion');
|
|
81
|
+
},
|
|
82
|
+
},
|
|
83
|
+
|
|
84
|
+
// --- Admin deletion tests ---
|
|
85
|
+
{
|
|
86
|
+
name: 'verify-admin-delete-target-exists',
|
|
87
|
+
async run({ firestore, assert, state, accounts }) {
|
|
88
|
+
// Get the delete-by-admin test account uid
|
|
89
|
+
state.adminDeleteUid = accounts['delete-by-admin'].uid;
|
|
90
|
+
|
|
91
|
+
// Verify the user doc exists
|
|
92
|
+
const userDoc = await firestore.get(`users/${state.adminDeleteUid}`);
|
|
93
|
+
|
|
94
|
+
assert.ok(userDoc, 'Admin delete target user doc should exist');
|
|
95
|
+
assert.ok(userDoc?.auth?.uid === state.adminDeleteUid, 'User doc should have correct uid');
|
|
96
|
+
},
|
|
97
|
+
},
|
|
98
|
+
|
|
99
|
+
{
|
|
100
|
+
name: 'admin-can-delete-other-user',
|
|
101
|
+
async run({ http, assert, state }) {
|
|
102
|
+
// Auth as admin (using backendManagerKey) and delete another user
|
|
103
|
+
const deleteResponse = await http.as('admin').command('user:delete', {
|
|
104
|
+
uid: state.adminDeleteUid,
|
|
105
|
+
});
|
|
106
|
+
|
|
107
|
+
assert.isSuccess(deleteResponse, `Admin should be able to delete another user: ${JSON.stringify(deleteResponse, null, 2)}`);
|
|
108
|
+
},
|
|
109
|
+
},
|
|
110
|
+
|
|
111
|
+
{
|
|
112
|
+
name: 'verify-admin-deleted-user-firestore-deleted',
|
|
113
|
+
async run({ firestore, assert, state, waitFor }) {
|
|
114
|
+
// on-delete handler deletes Firestore doc when Auth user is deleted
|
|
115
|
+
// Wait for the deletion to complete
|
|
116
|
+
const docDeleted = await waitFor(async () => {
|
|
117
|
+
const userDoc = await firestore.get(`users/${state.adminDeleteUid}`);
|
|
118
|
+
return !userDoc;
|
|
119
|
+
}, 10000, 500);
|
|
120
|
+
|
|
121
|
+
assert.ok(docDeleted, 'Firestore doc should be deleted after admin deletion');
|
|
122
|
+
},
|
|
123
|
+
},
|
|
124
|
+
|
|
125
|
+
// --- Auth rejection test (at end per convention) ---
|
|
126
|
+
{
|
|
127
|
+
name: 'unauthenticated-rejected',
|
|
128
|
+
async run({ http, assert }) {
|
|
129
|
+
const deleteResponse = await http.as('none').command('user:delete', {});
|
|
130
|
+
|
|
131
|
+
assert.isError(deleteResponse, 401, 'Delete should fail without authentication');
|
|
132
|
+
},
|
|
133
|
+
},
|
|
134
|
+
],
|
|
135
|
+
};
|
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Test: user:get-active-sessions
|
|
3
|
+
* Tests the user get active sessions command
|
|
4
|
+
* Returns sessions for authenticated users from Realtime Database
|
|
5
|
+
*/
|
|
6
|
+
module.exports = {
|
|
7
|
+
description: 'User get active sessions',
|
|
8
|
+
type: 'group',
|
|
9
|
+
tests: [
|
|
10
|
+
// Test 1: Authenticated user can get sessions
|
|
11
|
+
{
|
|
12
|
+
name: 'authenticated-user-succeeds',
|
|
13
|
+
auth: 'basic',
|
|
14
|
+
timeout: 15000,
|
|
15
|
+
|
|
16
|
+
async run({ http, assert }) {
|
|
17
|
+
const response = await http.command('user:get-active-sessions', {});
|
|
18
|
+
|
|
19
|
+
assert.isSuccess(response, 'Get active sessions should succeed for authenticated user');
|
|
20
|
+
assert.ok(
|
|
21
|
+
typeof response.data === 'object',
|
|
22
|
+
'Response data should be an object'
|
|
23
|
+
);
|
|
24
|
+
},
|
|
25
|
+
},
|
|
26
|
+
|
|
27
|
+
// Test 2: Default session id is 'app'
|
|
28
|
+
{
|
|
29
|
+
name: 'default-session-is-app',
|
|
30
|
+
auth: 'basic',
|
|
31
|
+
timeout: 15000,
|
|
32
|
+
|
|
33
|
+
async run({ http, assert }) {
|
|
34
|
+
// With no id specified, should query sessions/app
|
|
35
|
+
const response = await http.command('user:get-active-sessions', {});
|
|
36
|
+
|
|
37
|
+
assert.isSuccess(response, 'Get active sessions should succeed');
|
|
38
|
+
// Response is an object (may be empty if no sessions)
|
|
39
|
+
assert.ok(
|
|
40
|
+
response.data !== undefined,
|
|
41
|
+
'Response should have data'
|
|
42
|
+
);
|
|
43
|
+
},
|
|
44
|
+
},
|
|
45
|
+
|
|
46
|
+
// Test 3: Custom session id
|
|
47
|
+
{
|
|
48
|
+
name: 'custom-session-id',
|
|
49
|
+
auth: 'basic',
|
|
50
|
+
timeout: 15000,
|
|
51
|
+
|
|
52
|
+
async run({ http, assert }) {
|
|
53
|
+
const response = await http.command('user:get-active-sessions', {
|
|
54
|
+
id: 'custom-session-type',
|
|
55
|
+
});
|
|
56
|
+
|
|
57
|
+
assert.isSuccess(response, 'Get active sessions with custom id should succeed');
|
|
58
|
+
assert.ok(
|
|
59
|
+
typeof response.data === 'object',
|
|
60
|
+
'Response data should be an object'
|
|
61
|
+
);
|
|
62
|
+
},
|
|
63
|
+
},
|
|
64
|
+
|
|
65
|
+
// Test 4: Empty sessions returns empty object
|
|
66
|
+
{
|
|
67
|
+
name: 'no-sessions-returns-empty',
|
|
68
|
+
auth: 'basic',
|
|
69
|
+
timeout: 15000,
|
|
70
|
+
|
|
71
|
+
async run({ http, assert }) {
|
|
72
|
+
// Query a session type that definitely doesn't exist
|
|
73
|
+
const response = await http.command('user:get-active-sessions', {
|
|
74
|
+
id: 'nonexistent-session-type-12345',
|
|
75
|
+
});
|
|
76
|
+
|
|
77
|
+
assert.isSuccess(response, 'Get sessions for empty type should succeed');
|
|
78
|
+
assert.ok(
|
|
79
|
+
Object.keys(response.data).length === 0,
|
|
80
|
+
'Empty session type should return empty object'
|
|
81
|
+
);
|
|
82
|
+
},
|
|
83
|
+
},
|
|
84
|
+
|
|
85
|
+
// Test 5: Admin can get sessions
|
|
86
|
+
{
|
|
87
|
+
name: 'admin-succeeds',
|
|
88
|
+
auth: 'admin',
|
|
89
|
+
timeout: 15000,
|
|
90
|
+
|
|
91
|
+
async run({ http, assert }) {
|
|
92
|
+
const response = await http.command('user:get-active-sessions', {});
|
|
93
|
+
|
|
94
|
+
assert.isSuccess(response, 'Get active sessions should succeed for admin');
|
|
95
|
+
},
|
|
96
|
+
},
|
|
97
|
+
|
|
98
|
+
// Test 6: Unauthenticated request fails
|
|
99
|
+
{
|
|
100
|
+
name: 'unauthenticated-rejected',
|
|
101
|
+
auth: 'none',
|
|
102
|
+
timeout: 15000,
|
|
103
|
+
|
|
104
|
+
async run({ http, assert }) {
|
|
105
|
+
const response = await http.command('user:get-active-sessions', {});
|
|
106
|
+
|
|
107
|
+
assert.isError(response, 401, 'Get active sessions should fail without authentication');
|
|
108
|
+
},
|
|
109
|
+
},
|
|
110
|
+
],
|
|
111
|
+
};
|
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Test: user:get-subscription-info
|
|
3
|
+
* Tests the user get subscription info command
|
|
4
|
+
* Returns subscription details for authenticated users
|
|
5
|
+
*/
|
|
6
|
+
module.exports = {
|
|
7
|
+
description: 'User get subscription info',
|
|
8
|
+
type: 'group',
|
|
9
|
+
tests: [
|
|
10
|
+
// Test 1: Basic user can get subscription info
|
|
11
|
+
{
|
|
12
|
+
name: 'basic-user-succeeds',
|
|
13
|
+
auth: 'basic',
|
|
14
|
+
timeout: 15000,
|
|
15
|
+
|
|
16
|
+
async run({ http, assert }) {
|
|
17
|
+
const response = await http.command('user:get-subscription-info', {});
|
|
18
|
+
|
|
19
|
+
assert.isSuccess(response, 'Get subscription info should succeed for authenticated user');
|
|
20
|
+
assert.hasProperty(response, 'data.subscription', 'Response should contain subscription object');
|
|
21
|
+
assert.hasProperty(response, 'data.subscription.product.id', 'Subscription should have id');
|
|
22
|
+
assert.hasProperty(response, 'data.subscription.expires', 'Subscription should have expires');
|
|
23
|
+
assert.hasProperty(response, 'data.subscription.trial', 'Subscription should have trial info');
|
|
24
|
+
assert.hasProperty(response, 'data.subscription.payment', 'Subscription should have payment info');
|
|
25
|
+
},
|
|
26
|
+
},
|
|
27
|
+
|
|
28
|
+
// Test 2: Subscription has correct structure
|
|
29
|
+
{
|
|
30
|
+
name: 'subscription-structure-valid',
|
|
31
|
+
auth: 'basic',
|
|
32
|
+
timeout: 15000,
|
|
33
|
+
|
|
34
|
+
async run({ http, assert }) {
|
|
35
|
+
const response = await http.command('user:get-subscription-info', {});
|
|
36
|
+
|
|
37
|
+
assert.isSuccess(response, 'Get subscription info should succeed');
|
|
38
|
+
|
|
39
|
+
const subscription = response.data.subscription;
|
|
40
|
+
|
|
41
|
+
// Check expires structure
|
|
42
|
+
assert.hasProperty(response, 'data.subscription.expires.timestamp', 'expires should have timestamp');
|
|
43
|
+
assert.hasProperty(response, 'data.subscription.expires.timestampUNIX', 'expires should have timestampUNIX');
|
|
44
|
+
|
|
45
|
+
// Check trial structure
|
|
46
|
+
assert.ok(
|
|
47
|
+
typeof subscription.trial.claimed === 'boolean',
|
|
48
|
+
'trial.claimed should be boolean'
|
|
49
|
+
);
|
|
50
|
+
|
|
51
|
+
// Check payment structure
|
|
52
|
+
assert.hasProperty(response, 'data.subscription.payment', 'subscription should have payment');
|
|
53
|
+
},
|
|
54
|
+
},
|
|
55
|
+
|
|
56
|
+
// Test 3: Premium user has active subscription
|
|
57
|
+
{
|
|
58
|
+
name: 'premium-user-has-active-subscription',
|
|
59
|
+
auth: 'premium-active',
|
|
60
|
+
timeout: 15000,
|
|
61
|
+
|
|
62
|
+
async run({ http, assert }) {
|
|
63
|
+
const response = await http.command('user:get-subscription-info', {});
|
|
64
|
+
|
|
65
|
+
assert.isSuccess(response, 'Get subscription info should succeed for premium user');
|
|
66
|
+
assert.hasProperty(response, 'data.subscription.product.id', 'Premium user should have subscription id');
|
|
67
|
+
assert.hasProperty(response, 'data.subscription.payment', 'Premium user should have payment info');
|
|
68
|
+
},
|
|
69
|
+
},
|
|
70
|
+
|
|
71
|
+
// Test 4: Expired premium user still gets info
|
|
72
|
+
{
|
|
73
|
+
name: 'expired-premium-returns-info',
|
|
74
|
+
auth: 'premium-expired',
|
|
75
|
+
timeout: 15000,
|
|
76
|
+
|
|
77
|
+
async run({ http, assert }) {
|
|
78
|
+
const response = await http.command('user:get-subscription-info', {});
|
|
79
|
+
|
|
80
|
+
assert.isSuccess(response, 'Get subscription info should succeed for expired premium');
|
|
81
|
+
assert.hasProperty(response, 'data.subscription.product.id', 'Should still have subscription id');
|
|
82
|
+
assert.hasProperty(response, 'data.subscription.expires.timestampUNIX', 'Should have expires timestamp');
|
|
83
|
+
},
|
|
84
|
+
},
|
|
85
|
+
|
|
86
|
+
// Test 5: Unauthenticated request fails
|
|
87
|
+
{
|
|
88
|
+
name: 'unauthenticated-rejected',
|
|
89
|
+
auth: 'none',
|
|
90
|
+
timeout: 15000,
|
|
91
|
+
|
|
92
|
+
async run({ http, assert }) {
|
|
93
|
+
const response = await http.command('user:get-subscription-info', {});
|
|
94
|
+
|
|
95
|
+
assert.isError(response, 401, 'Get subscription info should fail without authentication');
|
|
96
|
+
},
|
|
97
|
+
},
|
|
98
|
+
],
|
|
99
|
+
};
|
|
@@ -0,0 +1,156 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Test: user:regenerate-api-keys
|
|
3
|
+
* Tests the user regenerate API keys command
|
|
4
|
+
* This is a suite because we need to track state and restore original keys
|
|
5
|
+
*/
|
|
6
|
+
module.exports = {
|
|
7
|
+
description: 'User regenerate API keys',
|
|
8
|
+
type: 'suite',
|
|
9
|
+
timeout: 30000,
|
|
10
|
+
|
|
11
|
+
tests: [
|
|
12
|
+
// Test 1: Store original keys
|
|
13
|
+
{
|
|
14
|
+
name: 'store-original-keys',
|
|
15
|
+
async run({ firestore, assert, state, accounts }) {
|
|
16
|
+
// Get the basic account's current keys to restore later
|
|
17
|
+
const userDoc = await firestore.get(`users/${accounts.basic.uid}`);
|
|
18
|
+
|
|
19
|
+
assert.ok(userDoc, 'User doc should exist');
|
|
20
|
+
assert.hasProperty({ data: userDoc }, 'data.api.clientId', 'User should have clientId');
|
|
21
|
+
assert.hasProperty({ data: userDoc }, 'data.api.privateKey', 'User should have privateKey');
|
|
22
|
+
|
|
23
|
+
state.originalClientId = userDoc.api.clientId;
|
|
24
|
+
state.originalPrivateKey = userDoc.api.privateKey;
|
|
25
|
+
|
|
26
|
+
assert.ok(state.originalClientId, 'Original clientId should exist');
|
|
27
|
+
assert.ok(state.originalPrivateKey, 'Original privateKey should exist');
|
|
28
|
+
},
|
|
29
|
+
},
|
|
30
|
+
|
|
31
|
+
// Test 2: Regenerate both keys (default)
|
|
32
|
+
{
|
|
33
|
+
name: 'regenerate-both-keys',
|
|
34
|
+
async run({ http, assert, state }) {
|
|
35
|
+
const response = await http.as('basic').command('user:regenerate-api-keys', {});
|
|
36
|
+
|
|
37
|
+
assert.isSuccess(response, 'Regenerate API keys should succeed');
|
|
38
|
+
assert.hasProperty(response, 'data.clientId', 'Response should contain new clientId');
|
|
39
|
+
assert.hasProperty(response, 'data.privateKey', 'Response should contain new privateKey');
|
|
40
|
+
|
|
41
|
+
// Keys should be different from original
|
|
42
|
+
assert.notEqual(
|
|
43
|
+
response.data.clientId,
|
|
44
|
+
state.originalClientId,
|
|
45
|
+
'New clientId should be different from original'
|
|
46
|
+
);
|
|
47
|
+
assert.notEqual(
|
|
48
|
+
response.data.privateKey,
|
|
49
|
+
state.originalPrivateKey,
|
|
50
|
+
'New privateKey should be different from original'
|
|
51
|
+
);
|
|
52
|
+
|
|
53
|
+
// Store new keys for verification
|
|
54
|
+
state.newClientId = response.data.clientId;
|
|
55
|
+
state.newPrivateKey = response.data.privateKey;
|
|
56
|
+
},
|
|
57
|
+
},
|
|
58
|
+
|
|
59
|
+
// Test 3: Verify keys are persisted in Firestore
|
|
60
|
+
{
|
|
61
|
+
name: 'verify-keys-persisted',
|
|
62
|
+
async run({ firestore, assert, state, accounts }) {
|
|
63
|
+
const userDoc = await firestore.get(`users/${accounts.basic.uid}`);
|
|
64
|
+
|
|
65
|
+
assert.equal(
|
|
66
|
+
userDoc.api.clientId,
|
|
67
|
+
state.newClientId,
|
|
68
|
+
'Persisted clientId should match returned value'
|
|
69
|
+
);
|
|
70
|
+
assert.equal(
|
|
71
|
+
userDoc.api.privateKey,
|
|
72
|
+
state.newPrivateKey,
|
|
73
|
+
'Persisted privateKey should match returned value'
|
|
74
|
+
);
|
|
75
|
+
},
|
|
76
|
+
},
|
|
77
|
+
|
|
78
|
+
// Test 4: Regenerate only clientId
|
|
79
|
+
// Note: After test 2, the privateKey changed so we need to use the new one
|
|
80
|
+
{
|
|
81
|
+
name: 'regenerate-only-clientId',
|
|
82
|
+
async run({ http, assert, state }) {
|
|
83
|
+
// Use the new privateKey from test 2 since old one is invalid
|
|
84
|
+
const response = await http.withPrivateKey(state.newPrivateKey).command('user:regenerate-api-keys', {
|
|
85
|
+
keys: ['clientId'],
|
|
86
|
+
});
|
|
87
|
+
|
|
88
|
+
assert.isSuccess(response, 'Regenerate clientId only should succeed');
|
|
89
|
+
assert.hasProperty(response, 'data.clientId', 'Response should contain new clientId');
|
|
90
|
+
assert.ok(
|
|
91
|
+
!response.data.privateKey,
|
|
92
|
+
'Response should NOT contain privateKey when only clientId requested'
|
|
93
|
+
);
|
|
94
|
+
assert.notEqual(
|
|
95
|
+
response.data.clientId,
|
|
96
|
+
state.newClientId,
|
|
97
|
+
'New clientId should be different from previous'
|
|
98
|
+
);
|
|
99
|
+
},
|
|
100
|
+
},
|
|
101
|
+
|
|
102
|
+
// Test 5: Regenerate only privateKey
|
|
103
|
+
{
|
|
104
|
+
name: 'regenerate-only-privateKey',
|
|
105
|
+
async run({ http, assert, state, accounts, firestore }) {
|
|
106
|
+
// Get current clientId to verify it stays the same
|
|
107
|
+
const beforeDoc = await firestore.get(`users/${accounts.basic.uid}`);
|
|
108
|
+
const currentClientId = beforeDoc.api.clientId;
|
|
109
|
+
|
|
110
|
+
// Still use newPrivateKey since test 4 didn't change it
|
|
111
|
+
const response = await http.withPrivateKey(state.newPrivateKey).command('user:regenerate-api-keys', {
|
|
112
|
+
keys: ['privateKey'],
|
|
113
|
+
});
|
|
114
|
+
|
|
115
|
+
assert.isSuccess(response, 'Regenerate privateKey only should succeed');
|
|
116
|
+
assert.hasProperty(response, 'data.privateKey', 'Response should contain new privateKey');
|
|
117
|
+
assert.ok(
|
|
118
|
+
!response.data.clientId,
|
|
119
|
+
'Response should NOT contain clientId when only privateKey requested'
|
|
120
|
+
);
|
|
121
|
+
|
|
122
|
+
// Verify clientId stayed the same
|
|
123
|
+
const afterDoc = await firestore.get(`users/${accounts.basic.uid}`);
|
|
124
|
+
assert.equal(
|
|
125
|
+
afterDoc.api.clientId,
|
|
126
|
+
currentClientId,
|
|
127
|
+
'clientId should remain unchanged when only privateKey regenerated'
|
|
128
|
+
);
|
|
129
|
+
},
|
|
130
|
+
},
|
|
131
|
+
|
|
132
|
+
// Test 6: Unauthenticated request fails
|
|
133
|
+
{
|
|
134
|
+
name: 'unauthenticated-rejected',
|
|
135
|
+
async run({ http, assert }) {
|
|
136
|
+
const response = await http.as('none').command('user:regenerate-api-keys', {});
|
|
137
|
+
|
|
138
|
+
assert.isError(response, 401, 'Regenerate API keys should fail without authentication');
|
|
139
|
+
},
|
|
140
|
+
},
|
|
141
|
+
|
|
142
|
+
// Test 7: Restore original keys
|
|
143
|
+
{
|
|
144
|
+
name: 'restore-original-keys',
|
|
145
|
+
async run({ firestore, state, accounts }) {
|
|
146
|
+
// Restore original keys so other tests aren't affected
|
|
147
|
+
await firestore.set(`users/${accounts.basic.uid}`, {
|
|
148
|
+
api: {
|
|
149
|
+
clientId: state.originalClientId,
|
|
150
|
+
privateKey: state.originalPrivateKey,
|
|
151
|
+
},
|
|
152
|
+
}, { merge: true });
|
|
153
|
+
},
|
|
154
|
+
},
|
|
155
|
+
],
|
|
156
|
+
};
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Test: user:resolve
|
|
3
|
+
* Tests the user resolve command
|
|
4
|
+
* Returns user account info for authenticated users
|
|
5
|
+
*
|
|
6
|
+
* SKIPPED: The user:resolve command is not yet implemented (has TODO in handler)
|
|
7
|
+
*/
|
|
8
|
+
module.exports = {
|
|
9
|
+
description: 'User resolve (account info)',
|
|
10
|
+
skip: 'user:resolve command not yet implemented',
|
|
11
|
+
type: 'group',
|
|
12
|
+
tests: [
|
|
13
|
+
// Test 1: Authenticated user can call resolve
|
|
14
|
+
{
|
|
15
|
+
name: 'authenticated-user-succeeds',
|
|
16
|
+
auth: 'basic',
|
|
17
|
+
timeout: 15000,
|
|
18
|
+
|
|
19
|
+
async run({ http, assert }) {
|
|
20
|
+
const response = await http.command('user:resolve', {});
|
|
21
|
+
|
|
22
|
+
assert.isSuccess(response, 'Resolve should succeed for authenticated user');
|
|
23
|
+
},
|
|
24
|
+
},
|
|
25
|
+
|
|
26
|
+
// Test 2: Premium user can call resolve
|
|
27
|
+
{
|
|
28
|
+
name: 'premium-user-succeeds',
|
|
29
|
+
auth: 'premium-active',
|
|
30
|
+
timeout: 15000,
|
|
31
|
+
|
|
32
|
+
async run({ http, assert }) {
|
|
33
|
+
const response = await http.command('user:resolve', {});
|
|
34
|
+
|
|
35
|
+
assert.isSuccess(response, 'Resolve should succeed for premium user');
|
|
36
|
+
},
|
|
37
|
+
},
|
|
38
|
+
|
|
39
|
+
// Test 3: Unauthenticated request fails
|
|
40
|
+
{
|
|
41
|
+
name: 'unauthenticated-rejected',
|
|
42
|
+
auth: 'none',
|
|
43
|
+
timeout: 15000,
|
|
44
|
+
|
|
45
|
+
async run({ http, assert }) {
|
|
46
|
+
const response = await http.command('user:resolve', {});
|
|
47
|
+
|
|
48
|
+
assert.isError(response, 401, 'Resolve should fail without authentication');
|
|
49
|
+
},
|
|
50
|
+
},
|
|
51
|
+
],
|
|
52
|
+
};
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Test: user:sign-out-all-sessions
|
|
3
|
+
* Tests the user sign out all sessions command
|
|
4
|
+
* This revokes refresh tokens and clears session data
|
|
5
|
+
* Note: This is a potentially destructive test, so we use a dedicated test account
|
|
6
|
+
*/
|
|
7
|
+
module.exports = {
|
|
8
|
+
description: 'User sign out all sessions',
|
|
9
|
+
type: 'group',
|
|
10
|
+
tests: [
|
|
11
|
+
// Test 1: Authenticated user can sign out all sessions
|
|
12
|
+
{
|
|
13
|
+
name: 'authenticated-user-succeeds',
|
|
14
|
+
auth: 'basic',
|
|
15
|
+
timeout: 30000, // Longer timeout due to session cleanup
|
|
16
|
+
|
|
17
|
+
async run({ http, assert }) {
|
|
18
|
+
const response = await http.command('user:sign-out-all-sessions', {});
|
|
19
|
+
|
|
20
|
+
assert.isSuccess(response, 'Sign out all sessions should succeed for authenticated user');
|
|
21
|
+
assert.hasProperty(response, 'data.sessions', 'Response should contain sessions count');
|
|
22
|
+
assert.hasProperty(response, 'data.message', 'Response should contain message');
|
|
23
|
+
assert.ok(
|
|
24
|
+
typeof response.data.sessions === 'number',
|
|
25
|
+
'sessions should be a number'
|
|
26
|
+
);
|
|
27
|
+
assert.ok(
|
|
28
|
+
response.data.sessions >= 0,
|
|
29
|
+
'sessions count should be non-negative'
|
|
30
|
+
);
|
|
31
|
+
},
|
|
32
|
+
},
|
|
33
|
+
|
|
34
|
+
// Test 2: Custom session id
|
|
35
|
+
{
|
|
36
|
+
name: 'custom-session-id',
|
|
37
|
+
auth: 'basic',
|
|
38
|
+
timeout: 30000,
|
|
39
|
+
|
|
40
|
+
async run({ http, assert }) {
|
|
41
|
+
const response = await http.command('user:sign-out-all-sessions', {
|
|
42
|
+
id: 'custom-session-type',
|
|
43
|
+
});
|
|
44
|
+
|
|
45
|
+
assert.isSuccess(response, 'Sign out with custom session id should succeed');
|
|
46
|
+
assert.hasProperty(response, 'data.sessions', 'Response should contain sessions count');
|
|
47
|
+
},
|
|
48
|
+
},
|
|
49
|
+
|
|
50
|
+
// Test 3: Premium user can sign out all sessions
|
|
51
|
+
// Note: backendManagerKey admin doesn't have auth.uid, so we test with premium user instead
|
|
52
|
+
{
|
|
53
|
+
name: 'premium-user-succeeds',
|
|
54
|
+
auth: 'premium-active',
|
|
55
|
+
timeout: 30000,
|
|
56
|
+
|
|
57
|
+
async run({ http, assert }) {
|
|
58
|
+
const response = await http.command('user:sign-out-all-sessions', {});
|
|
59
|
+
|
|
60
|
+
assert.isSuccess(response, 'Sign out all sessions should succeed for premium user');
|
|
61
|
+
assert.hasProperty(response, 'data.sessions', 'Response should contain sessions count');
|
|
62
|
+
},
|
|
63
|
+
},
|
|
64
|
+
|
|
65
|
+
// Test 4: Multiple calls are idempotent
|
|
66
|
+
{
|
|
67
|
+
name: 'idempotent-operation',
|
|
68
|
+
auth: 'basic',
|
|
69
|
+
timeout: 30000,
|
|
70
|
+
|
|
71
|
+
async run({ http, assert }) {
|
|
72
|
+
// Call twice in a row - both should succeed
|
|
73
|
+
const response1 = await http.command('user:sign-out-all-sessions', {});
|
|
74
|
+
const response2 = await http.command('user:sign-out-all-sessions', {});
|
|
75
|
+
|
|
76
|
+
assert.isSuccess(response1, 'First sign out should succeed');
|
|
77
|
+
assert.isSuccess(response2, 'Second sign out should succeed (idempotent)');
|
|
78
|
+
},
|
|
79
|
+
},
|
|
80
|
+
|
|
81
|
+
// Test 5: Unauthenticated request fails
|
|
82
|
+
{
|
|
83
|
+
name: 'unauthenticated-rejected',
|
|
84
|
+
auth: 'none',
|
|
85
|
+
timeout: 15000,
|
|
86
|
+
|
|
87
|
+
async run({ http, assert }) {
|
|
88
|
+
const response = await http.command('user:sign-out-all-sessions', {});
|
|
89
|
+
|
|
90
|
+
assert.isError(response, 401, 'Sign out all sessions should fail without authentication');
|
|
91
|
+
},
|
|
92
|
+
},
|
|
93
|
+
],
|
|
94
|
+
};
|