payment-kit 1.29.0 → 1.29.2

package/api/tests/queues/event-tenant.spec.ts

@@ -0,0 +1,236 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+
+import { withTenant } from '../../src/libs/context';
+import { TENANT_CONTEXT_MISSING, TENANT_MISMATCH } from '../../src/libs/tenant';
+import { TENANT_A, TENANT_B } from '../fixtures/tenants';
+
+jest.mock('../../src/libs/logger', () => ({
+  __esModule: true,
+  default: { info: jest.fn(), warn: jest.fn(), error: jest.fn(), debug: jest.fn() },
+}));
+
+// neutralize the queue engine: real createQueue scans the jobs table on
+// import (crash-recovery), which races against this suite's temp DB lifecycle
+jest.mock('../../src/libs/queue', () => ({
+  __esModule: true,
+  default: () => ({
+    push: jest.fn(),
+    pushAndWait: jest.fn(),
+    cancel: jest.fn(),
+    on: jest.fn(),
+    get: jest.fn().mockResolvedValue(null),
+  }),
+}));
+
+// the five delivery paths are exercised against mocks for transport pieces
+const addWebhookJob = jest.fn().mockResolvedValue(true);
+jest.mock('../../src/queues/webhook', () => {
+  const actual = jest.requireActual('../../src/queues/webhook');
+  return { ...actual, addWebhookJob: (...args: any[]) => addWebhookJob(...args) };
+});
+
+const componentRequest = jest.fn().mockResolvedValue({ status: 200, data: { ok: true } });
+jest.mock('@blocklet/sdk/lib/util/component-api', () => ({
+  __esModule: true,
+  default: { request: (...args: any[]) => componentRequest(...args) },
+}));
+
+const STORE_DIR = path.join(__dirname, '../../src/store');
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'event-tenant-'));
+const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(dir, 'test.db'), logging: false });
+const umzug = new Umzug({
+  migrations: {
+    glob: ['migrations/*.ts', { cwd: STORE_DIR }],
+    resolve: ({ name, path: p, context }) => {
+      // eslint-disable-next-line import/no-dynamic-require, global-require
+      const migration = require(p!);
+      return {
+        name: name.replace(/\.ts$/, '.js'),
+        up: () => migration.up({ context }),
+        down: () => migration.down({ context }),
+      };
+    },
+  },
+  context: sequelize.getQueryInterface(),
+  storage: new SequelizeStorage({ sequelize }),
+  logger: undefined,
+});
+
+let models: any;
+let handleEvent: any;
+let handleWebhook: any;
+let assertEventTenantAccessible: any;
+let logger: any;
+
+beforeAll(async () => {
+  await umzug.up();
+  // eslint-disable-next-line global-require
+  models = require('../../src/store/models');
+  models.initialize(sequelize);
+  // eslint-disable-next-line global-require
+  ({ handleEvent } = require('../../src/queues/event'));
+  // eslint-disable-next-line global-require
+  ({ handleWebhook } = jest.requireActual('../../src/queues/webhook'));
+  // eslint-disable-next-line global-require
+  ({ assertEventTenantAccessible } = require('../../src/routes/hono/events'));
+  // eslint-disable-next-line global-require
+  logger = require('../../src/libs/logger').default;
+}, 120000);
+
+afterAll(async () => {
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+const seedEvent = (tenant: string, type = 'customer.updated') =>
+  withTenant(tenant, () =>
+    models.Event.create({
+      type,
+      instance_did: tenant,
+      api_version: 'test',
+      livemode: false,
+      object_id: 'obj_1',
+      object_type: 'customer',
+      data: { object: { id: 'obj_1' } },
+      request: { id: '', idempotency_key: '', requested_by: 'test' },
+      metadata: {},
+      pending_webhooks: 99,
+    })
+  );
+
+const seedEndpoint = (tenant: string, url: string) =>
+  withTenant(tenant, () =>
+    models.WebhookEndpoint.create({
+      instance_did: tenant,
+      livemode: false,
+      url,
+      description: 'test',
+      status: 'enabled',
+      enabled_events: ['customer.updated'],
+      secret: 'whsec_test',
+      api_version: 'test',
+    })
+  );
+
+beforeEach(async () => {
+  jest.clearAllMocks();
+  await sequelize.query('DELETE FROM events');
+  await sequelize.query('DELETE FROM webhook_endpoints');
+  await sequelize.query('DELETE FROM webhook_attempts');
+});
+
+describe('event delivery tenant isolation (phase 4)', () => {
+  describe('path 1 fanout (queues/event.ts): only same-tenant endpoints scheduled', () => {
+    it('A event fans out to A endpoint only, B endpoint untouched', async () => {
+      const event = await seedEvent(TENANT_A);
+      const endpointA = await seedEndpoint(TENANT_A, 'http://a.example.com/hook');
+      await seedEndpoint(TENANT_B, 'http://b.example.com/hook');
+
+      await handleEvent({ eventId: event.id });
+
+      expect(addWebhookJob).toHaveBeenCalledTimes(1);
+      expect(addWebhookJob).toHaveBeenCalledWith(event.id, endpointA.id, expect.anything());
+    });
+  });
+
+  describe('path 2 delivery handler (queues/webhook.ts): tenant invariant', () => {
+    it('forged job pairing A event with B endpoint is refused without an attempt row', async () => {
+      const event = await seedEvent(TENANT_A);
+      const endpointB = await seedEndpoint(TENANT_B, 'http://b.example.com/hook');
+
+      await handleWebhook({ eventId: event.id, webhookId: endpointB.id });
+
+      expect(componentRequest).not.toHaveBeenCalled();
+      const [attempts] = await sequelize.query('SELECT COUNT(*) AS n FROM webhook_attempts');
+      expect((attempts as any[])[0].n).toBe(0);
+      expect(logger.error).toHaveBeenCalledWith(
+        expect.stringContaining('tenant mismatch'),
+        expect.objectContaining({ code: TENANT_MISMATCH })
+      );
+    });
+
+    it('same-tenant delivery succeeds and the attempt row carries the tenant', async () => {
+      const event = await seedEvent(TENANT_A);
+      const endpointA = await seedEndpoint(TENANT_A, 'http://a.example.com/hook');
+
+      await handleWebhook({ eventId: event.id, webhookId: endpointA.id });
+
+      expect(componentRequest).toHaveBeenCalledTimes(1);
+      const [attempts] = await sequelize.query('SELECT status, instance_did FROM webhook_attempts');
+      expect(attempts).toEqual([{ status: 'succeeded', instance_did: TENANT_A }]);
+    });
+  });
+
+  describe('paths 3+4 manual retry routes: caller tenant guard', () => {
+    it('A caller cannot retry a B event (TENANT_MISMATCH -> 4xx mapping)', async () => {
+      await withTenant(TENANT_A, async () => {
+        expect(() => assertEventTenantAccessible({ instance_did: TENANT_B })).toThrow(
+          expect.objectContaining({ code: TENANT_MISMATCH })
+        );
+      });
+    });
+
+    it('multi mode without caller context fails closed', () => {
+      process.env.PAYMENT_TENANT_MODE = 'multi';
+      try {
+        expect(() => assertEventTenantAccessible({ instance_did: TENANT_B })).toThrow(
+          expect.objectContaining({ code: TENANT_CONTEXT_MISSING })
+        );
+      } finally {
+        delete process.env.PAYMENT_TENANT_MODE;
+      }
+    });
+
+    it('same-tenant caller passes the guard', async () => {
+      await withTenant(TENANT_B, async () => {
+        expect(() => assertEventTenantAccessible({ instance_did: TENANT_B })).not.toThrow();
+      });
+    });
+
+    it('retry fanout never schedules the other tenant endpoint (paths 3+4 data leak)', async () => {
+      // same shape the retry routes use after their tenant guard: endpoint
+      // query scoped by caller tenant -> B endpoint invisible to A
+      await seedEndpoint(TENANT_A, 'http://a.example.com/hook');
+      await seedEndpoint(TENANT_B, 'http://b.example.com/hook');
+      const visible = await withTenant(TENANT_A, async () =>
+        models.WebhookEndpoint.findAll({
+          where: { status: 'enabled', livemode: false, instance_did: TENANT_A },
+        })
+      );
+      expect(visible).toHaveLength(1);
+      expect(visible[0].url).toBe('http://a.example.com/hook');
+    });
+  });
+
+  describe('path 5 pending scan (crons/retry-pending-events.ts)', () => {
+    it('re-enqueued events still fan out tenant-filtered (transitively via handleEvent)', async () => {
+      // the cron only re-enqueues IDs; prove the downstream filter holds for a
+      // B event when both tenants have endpoints
+      const event = await seedEvent(TENANT_B);
+      await seedEndpoint(TENANT_A, 'http://a.example.com/hook');
+      const endpointB = await seedEndpoint(TENANT_B, 'http://b.example.com/hook');
+
+      await handleEvent({ eventId: event.id });
+
+      expect(addWebhookJob).toHaveBeenCalledTimes(1);
+      expect(addWebhookJob).toHaveBeenCalledWith(event.id, endpointB.id, expect.anything());
+    });
+  });
+
+  describe('data damage: retry keeps the original tenant', () => {
+    it('failed delivery writes a failed attempt under the event tenant', async () => {
+      componentRequest.mockRejectedValueOnce(Object.assign(new Error('boom'), { response: { status: 500 } }));
+      const event = await seedEvent(TENANT_A);
+      const endpointA = await seedEndpoint(TENANT_A, 'http://a.example.com/hook');
+
+      await handleWebhook({ eventId: event.id, webhookId: endpointA.id });
+
+      const [attempts] = await sequelize.query('SELECT status, instance_did FROM webhook_attempts');
+      expect(attempts).toEqual([{ status: 'failed', instance_did: TENANT_A }]);
+    });
+  });
+});

package/api/tests/queues/exchange-rate-health-tenant-d6.spec.ts

@@ -0,0 +1,62 @@
+// D6 — the exchange-rate-health schedule carries its tenant in the job PAYLOAD,
+// so the re-schedule (on 'finished', which fires OUTSIDE any withTenant scope)
+// stays under the correct tenant without relying on the ALS context. In multi
+// mode a tenant-less push would throw TENANT_CONTEXT_MISSING.
+
+jest.mock('../../src/libs/logger', () => ({
+  __esModule: true,
+  default: { info: jest.fn(), warn: jest.fn(), error: jest.fn(), debug: jest.fn() },
+}));
+
+const pushed: any[] = [];
+let finishedListener: ((data: any) => void) | undefined;
+
+jest.mock('../../src/libs/queue', () => ({
+  __esModule: true,
+  default: () => ({
+    push: (p: any) => {
+      pushed.push(p);
+      return { on: jest.fn() };
+    },
+    on: (ev: string, cb: any) => {
+      if (ev === 'finished') finishedListener = cb;
+    },
+    pushAndWait: jest.fn(),
+    cancel: jest.fn(),
+    get: jest.fn(),
+    store: { addJob: jest.fn(), getScheduledJobs: jest.fn().mockResolvedValue([]) },
+    stop: jest.fn(),
+  }),
+}));
+
+import { scheduleHealthChecks } from '../../src/queues/exchange-rate-health';
+
+describe('D6 — exchange-rate-health carries the tenant in the job payload', () => {
+  beforeEach(() => {
+    pushed.length = 0;
+  });
+
+  it('the initial schedule pushes a job tagged with instance_did', () => {
+    scheduleHealthChecks('did:abt:zHEALTHA');
+    expect(pushed.length).toBe(1);
+    expect(pushed[0].job.instance_did).toBe('did:abt:zHEALTHA');
+    expect(pushed[0].persist).toBe(true);
+  });
+
+  it('the re-schedule preserves the FINISHED job’s tenant (no ALS reliance)', () => {
+    scheduleHealthChecks('did:abt:zHEALTHA');
+    expect(finishedListener).toBeDefined();
+    pushed.length = 0;
+    // simulate a finished job that belonged to tenant B — the next schedule must
+    // be for B, taken from the job payload, NOT from any ambient context.
+    finishedListener!({ job: { type: 'health_check', timestamp: 1, instance_did: 'did:abt:zHEALTHB' } });
+    expect(pushed.length).toBe(1);
+    expect(pushed[0].job.instance_did).toBe('did:abt:zHEALTHB');
+  });
+
+  it('single mode (no instanceDid) pushes without a forced tenant (default-tenant fallback applies)', () => {
+    scheduleHealthChecks(undefined);
+    expect(pushed.length).toBe(1);
+    expect(pushed[0].job.instance_did).toBeUndefined(); // injectJobTenant uses the default tenant in single
+  });
+});

package/api/tests/queues/queue-parity.spec.ts

@@ -0,0 +1,249 @@
+// Phase 9 (W2-1b): queue engine + executor parity (W2 判据 4).
+//
+// The CF worker runs the SAME queue engine as Blocklet Server
+// (api/src/libs/queue) — only the fastq EXECUTOR primitive is swapped (real
+// fastq on Node, cloudflare/shims/fastq in the worker). This spec proves:
+//   Part A — the engine's delay/retry/cancel/pushAndWait semantics (embedded).
+//   Part B — the fastq shim is a faithful drop-in for real fastq on the exact
+//            operations the engine uses, so the worker behaves identically.
+// Together that is the embedded↔worker queue parity the acceptance gate wants.
+
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+
+import { withTenant, getInstanceDid } from '../../src/libs/context';
+
+/* eslint-disable global-require, import/no-dynamic-require, require-await, no-promise-executor-return */
+
+// the retry/settle cases do real per-attempt DB ops on a shared sqlite file;
+// under full-suite parallel load they can exceed jest's 5s default, so give the
+// suite a generous timeout (these are inherently I/O-bound, not hung). Phase 12b
+// added queue-runtime-surface.spec.ts which contends for the same jest workers,
+// so the margin is bumped to keep the settle cases from a transient timeout.
+jest.setTimeout(60000);
+
+jest.mock('../../src/libs/logger', () => ({
+  __esModule: true,
+  default: { info: jest.fn(), warn: jest.fn(), error: jest.fn(), debug: jest.fn() },
+}));
+
+const STORE_DIR = path.join(__dirname, '../../src/store');
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'queue-parity-'));
+const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(dir, 'test.db'), logging: false });
+const umzug = new Umzug({
+  migrations: {
+    glob: ['migrations/*.ts', { cwd: STORE_DIR }],
+    resolve: ({ name, path: p, context }) => {
+      const migration = require(p!);
+      return {
+        name: name.replace(/\.ts$/, '.js'),
+        up: () => migration.up({ context }),
+        down: () => migration.down({ context }),
+      };
+    },
+  },
+  context: sequelize.getQueryInterface(),
+  storage: new SequelizeStorage({ sequelize }),
+  logger: undefined,
+});
+
+let createQueue: any;
+
+beforeAll(async () => {
+  await umzug.up();
+  const models = require('../../src/store/models');
+  models.initialize(sequelize);
+  createQueue = require('../../src/libs/queue').default;
+}, 120000);
+
+afterAll(async () => {
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+const settle = (emitter: any): Promise<{ event: string; data: any }> =>
+  new Promise((resolve) => {
+    ['finished', 'failed', 'cancelled'].forEach((e) => emitter.on(e, (data: any) => resolve({ event: e, data })));
+  });
+
+describe('Part A — Node queue engine contract semantics', () => {
+  beforeEach(async () => {
+    await sequelize.query('DELETE FROM jobs');
+  });
+
+  it('immediate job runs and the jobs row is cleared on finish', async () => {
+    const seen: any[] = [];
+    const q = createQueue({
+      name: `pa-imm-${Date.now()}`,
+      onJob: async (job: any) => {
+        seen.push(job.v);
+        return job.v * 2;
+      },
+    });
+    const ev = q.push({ job: { v: 21 } });
+    const { event, data } = await settle(ev);
+    expect(event).toBe('finished');
+    expect(data.result).toBe(42);
+    expect(seen).toEqual([21]);
+    const row = await q.get(ev.id);
+    expect(row).toBeNull(); // cleared
+  });
+
+  it('pushAndWait resolves with the handler result', async () => {
+    const q = createQueue({ name: `pa-paw-${Date.now()}`, onJob: async (job: any) => `ok:${job.v}` });
+    const res: any = await q.pushAndWait({ job: { v: 7 } });
+    expect(res.result).toBe('ok:7');
+  });
+
+  it('retries up to maxRetries then fails (no infinite retry)', async () => {
+    let attempts = 0;
+    const retries: number[] = [];
+    const q = createQueue({
+      name: `pa-retry-${Date.now()}`,
+      onJob: async () => {
+        attempts += 1;
+        throw new Error('always');
+      },
+      options: { maxRetries: 3, retryDelay: 1 },
+    });
+    q.on('retry', () => retries.push(1));
+    const ev = q.push({ job: { v: 1 } });
+    const { event } = await settle(ev);
+    expect(event).toBe('failed');
+    expect(attempts).toBe(3); // initial + 2 retries (retry_count starts at 1, fails at >= maxRetries)
+    expect(retries.length).toBeGreaterThanOrEqual(1);
+  });
+
+  it('nonRetryable error fails immediately (single attempt)', async () => {
+    let attempts = 0;
+    const q = createQueue({
+      name: `pa-nonretry-${Date.now()}`,
+      onJob: async () => {
+        attempts += 1;
+        const err: any = new Error('forged');
+        err.nonRetryable = true;
+        throw err;
+      },
+      options: { maxRetries: 5, retryDelay: 1 },
+    });
+    const ev = q.push({ job: { v: 1 } });
+    const { event } = await settle(ev);
+    expect(event).toBe('failed');
+    expect(attempts).toBe(1);
+  });
+
+  it('cancel marks the row and excludes it from recovery (the skip mechanism)', async () => {
+    const q = createQueue({ name: `pa-cancel-${Date.now()}`, onJob: async () => undefined });
+    await q.store.addJob('cj-1', { v: 1, instance_did: 'did:abt:zCANCEL' }, {});
+    // before cancel: recovery would pick the row up
+    expect((await q.store.getJobs()).some((j: any) => j.id === 'cj-1')).toBe(true);
+    await q.cancel('cj-1');
+    // after cancel: execution-time guard sees it, recovery query excludes it
+    expect(await q.store.isCancelled('cj-1')).toBe(true);
+    expect((await q.store.getJobs()).some((j: any) => j.id === 'cj-1')).toBe(false);
+  });
+
+  // Bad input
+  it('rejects an empty job', () => {
+    const q = createQueue({ name: `pa-empty-${Date.now()}`, onJob: async () => undefined });
+    expect(() => q.push({ job: undefined as any })).toThrow(/Can not queue empty job/);
+  });
+
+  // Data damage — same job id does not execute twice (duplicate guard)
+  it('a duplicate job id executes only once', async () => {
+    let runs = 0;
+    const q = createQueue({
+      name: `pa-dup-${Date.now()}`,
+      onJob: async () => {
+        runs += 1;
+        return runs;
+      },
+    });
+    q.push({ job: { v: 1 }, id: 'dup-1' });
+    q.push({ job: { v: 1 }, id: 'dup-1' }); // duplicate id — store rejects, no second execution
+    // Either push can win the concurrent addJob UNIQUE race; the LOSER's
+    // jobEvents never settles (its addJob rejects before queueJob), so awaiting
+    // one specific push is racy and starves under parallel load. Wait for the
+    // single execution to actually land instead — that is what we assert.
+    const deadline = Date.now() + 5000;
+    while (runs < 1 && Date.now() < deadline) {
+      // eslint-disable-next-line no-await-in-loop, no-promise-executor-return
+      await new Promise((r) => setTimeout(r, 20));
+    }
+    await new Promise((r) => setTimeout(r, 60));
+    expect(runs).toBe(1);
+  });
+
+  // Data leak — the handler runs under the PAYLOAD tenant, never another's
+  it('handler executes under the payload tenant (no cross-tenant leak)', async () => {
+    const seen: Record<string, string> = {};
+    const q = createQueue({
+      name: `pa-tenant-${Date.now()}`,
+      onJob: async (job: any) => {
+        seen[job.tag] = getInstanceDid();
+      },
+    });
+    // push under tenant A's context — payload is stamped with A
+    const evA = await withTenant('did:abt:zTENANTA', async () => q.push({ job: { tag: 'A' } }));
+    const evB = await withTenant('did:abt:zTENANTB', async () => q.push({ job: { tag: 'B' } }));
+    await Promise.all([settle(evA), settle(evB)]);
+    expect(seen.A).toBe('did:abt:zTENANTA');
+    expect(seen.B).toBe('did:abt:zTENANTB');
+  });
+});
+
+describe('Part B — fastq shim is a faithful drop-in for real fastq', () => {
+  // run the exact operations the engine uses against both executors
+  const realFastq = require('fastq');
+  const shimFastq = require('../../../cloudflare/shims/fastq').default;
+
+  const scenario = (fastqImpl: any) =>
+    new Promise<any>((resolve) => {
+      const order: string[] = [];
+      const results: any[] = [];
+      const q = fastqImpl(async (data: any, cb: Function) => {
+        order.push(data.id);
+        if (data.fail) {
+          cb(new Error(`fail:${data.id}`));
+          return;
+        }
+        cb(null, `done:${data.id}`);
+      }, 1);
+      let pending = 3;
+      const done = (tag: string) => (err: any, res: any) => {
+        results.push({ tag, err: err?.message ?? null, res: res ?? null });
+        pending -= 1;
+        if (pending === 0) resolve({ order, results });
+      };
+      q.push({ id: 'a' }, done('a'));
+      q.push({ id: 'b', fail: true }, done('b'));
+      q.unshift({ id: 'c' }, done('c')); // unshift jumps the queue (retry path)
+    });
+
+  it('produces identical execution order and results on both executors', async () => {
+    const real = await scenario(realFastq);
+    const shim = await scenario(shimFastq);
+    // same success/error callback shape per job
+    const norm = (r: any) => r.results.sort((x: any, y: any) => x.tag.localeCompare(y.tag));
+    expect(norm(shim)).toEqual(norm(real));
+    // job 'b' errored on both, 'a'/'c' succeeded on both
+    const byTag = (r: any) => Object.fromEntries(r.results.map((x: any) => [x.tag, x.err ? 'err' : 'ok']));
+    expect(byTag(shim)).toEqual(byTag(real));
+    expect(byTag(real)).toEqual({ a: 'ok', b: 'err', c: 'ok' });
+  });
+
+  it('the shim accepts the 2-arg fastq(worker, concurrency) form the engine uses', async () => {
+    // regression for the pre-existing "worker is not a function" bug
+    const ran: any[] = [];
+    const q = shimFastq(async (data: any, cb: Function) => {
+      ran.push(data.id);
+      cb(null, 'ok');
+    }, 1);
+    const res = await new Promise((r) => q.push({ id: 'x' }, (_e: any, v: any) => r(v)));
+    expect(ran).toEqual(['x']);
+    expect(res).toBe('ok');
+  });
+});