tests/integration/api/berth-reservations-list.test.ts

/**
 * Port-scoped global reservations list — locks in feat(marina): the new
 * `GET /api/v1/berth-reservations` endpoint that powers the
 * `[portSlug]/berth-reservations` page. The route is thin (parseQuery →
 * listReservations); the test guarantees port scoping at the handler
 * boundary so a future refactor of the service can't accidentally leak
 * cross-port rows.
 */
import { describe, it, expect } from 'vitest';

import { listHandler } from '@/app/api/v1/berth-reservations/handlers';
import { createHandler as createReservationHandler } from '@/app/api/v1/berths/[id]/reservations/handlers';
import { makeMockCtx, makeMockRequest } from '../../helpers/route-tester';
import {
  makeBerth,
  makeClient,
  makeFullPermissions,
  makePort,
  makeYacht,
} from '../../helpers/factories';

async function seedReservation(portId: string) {
  const berth = await makeBerth({ portId });
  const client = await makeClient({ portId });
  const yacht = await makeYacht({ portId, ownerType: 'client', ownerId: client.id });
  const ctx = makeMockCtx({ portId, permissions: makeFullPermissions() });
  const res = await createReservationHandler(
    makeMockRequest('POST', `http://localhost/api/v1/berths/${berth.id}/reservations`, {
      body: {
        clientId: client.id,
        yachtId: yacht.id,
        startDate: new Date().toISOString(),
      },
    }),
    ctx,
    { id: berth.id },
  );
  return (await res.json()).data as { id: string; berthId: string };
}

describe('GET /api/v1/berth-reservations', () => {
  it('returns all reservations for the requesting port', async () => {
    const port = await makePort();
    const r1 = await seedReservation(port.id);
    const r2 = await seedReservation(port.id);

    const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
    const res = await listHandler(
      makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations'),
      ctx,
    );
    expect(res.status).toBe(200);

    const body = await res.json();
    const ids = (body.data as Array<{ id: string }>).map((r) => r.id).sort();
    expect(ids).toEqual([r1.id, r2.id].sort());
    expect(body.pagination).toMatchObject({ page: 1, total: 2 });
  });

  it('does not leak reservations from a different port', async () => {
    const portA = await makePort();
    const portB = await makePort();
    const reservationInB = await seedReservation(portB.id);

    // Caller is operating in portA; portB's reservation must not appear.
    const ctx = makeMockCtx({ portId: portA.id, permissions: makeFullPermissions() });
    const res = await listHandler(
      makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations'),
      ctx,
    );
    expect(res.status).toBe(200);

    const body = await res.json();
    const ids = (body.data as Array<{ id: string }>).map((r) => r.id);
    expect(ids).not.toContain(reservationInB.id);
  });

  it('honors pagination via query params', async () => {
    const port = await makePort();
    await seedReservation(port.id);
    await seedReservation(port.id);
    await seedReservation(port.id);

    const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
    const res = await listHandler(
      makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations?page=1&limit=2'),
      ctx,
    );
    expect(res.status).toBe(200);

    const body = await res.json();
    expect(body.data).toHaveLength(2);
    expect(body.pagination).toMatchObject({
      page: 1,
      pageSize: 2,
      total: 3,
      totalPages: 2,
      hasNextPage: true,
      hasPreviousPage: false,
    });
  });
});
test(audit-fixes): cover the new permission and webhook surfaces Adds integration coverage for the routes / handlers shipped in the preceding audit-fix commits, plus refactors two route files to expose inner handlers from a sibling `handlers.ts` (the pattern used elsewhere in `src/app/api/v1`) so tests can call them without the `withAuth(withPermission(…))` wrapper. New tests (18 cases across 4 files): - `tests/integration/portal-auth.test.ts` (6) — verifyPortalToken rejects tokens missing `aud: 'portal'` or `iss: 'pn-crm'`, with the wrong audience (CRM-session-replay shape) or wrong issuer, plus a round-trip happy path. Locks in the portal-vs-CRM token isolation. - `tests/integration/api/saved-views-ownership.test.ts` (6) — patch and delete handlers return 403 for a different user, 404 for an unknown id or cross-port id, and 200 for the owner. Ownership is enforced at the route layer regardless of the service's internal filtering. - `tests/integration/api/berth-reservations-list.test.ts` (3) — the new global list returns rows for the current port only and honors pagination params. A reservation in a different port never leaks. - `tests/integration/documents-expired-webhook.test.ts` (3) — handleDocumentExpired flips the document to `expired`, also flips the linked interest's `eoiStatus`, writes a `documentEvents` row, and is a no-op (not a throw) when the documensoId is unknown. Refactors: - `src/app/api/v1/saved-views/[id]/route.ts` extracts `patchHandler` / `deleteHandler` (and the shared `assertViewOwner`) into `handlers.ts`. The route file is now a 4-line `withAuth(handler)` wrapper. - `src/app/api/v1/berth-reservations/route.ts` extracts `listHandler` similarly. Tests import directly from `handlers.ts`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-02 23:17:08 +02:00			`/**`
			`* Port-scoped global reservations list — locks in feat(marina): the new`
			* `GET /api/v1/berth-reservations` endpoint that powers the
			* `[portSlug]/berth-reservations` page. The route is thin (parseQuery →
			`* listReservations); the test guarantees port scoping at the handler`
			`* boundary so a future refactor of the service can't accidentally leak`
			`* cross-port rows.`
			`*/`
			`import { describe, it, expect } from 'vitest';`

			`import { listHandler } from '@/app/api/v1/berth-reservations/handlers';`
			`import { createHandler as createReservationHandler } from '@/app/api/v1/berths/[id]/reservations/handlers';`
			`import { makeMockCtx, makeMockRequest } from '../../helpers/route-tester';`
			`import {`
			`makeBerth,`
			`makeClient,`
			`makeFullPermissions,`
			`makePort,`
			`makeYacht,`
			`} from '../../helpers/factories';`

			`async function seedReservation(portId: string) {`
			`const berth = await makeBerth({ portId });`
			`const client = await makeClient({ portId });`
			`const yacht = await makeYacht({ portId, ownerType: 'client', ownerId: client.id });`
			`const ctx = makeMockCtx({ portId, permissions: makeFullPermissions() });`
			`const res = await createReservationHandler(`
			makeMockRequest('POST', `http://localhost/api/v1/berths/${berth.id}/reservations`, {
			`body: {`
			`clientId: client.id,`
			`yachtId: yacht.id,`
			`startDate: new Date().toISOString(),`
			`},`
			`}),`
			`ctx,`
			`{ id: berth.id },`
			`);`
			`return (await res.json()).data as { id: string; berthId: string };`
			`}`

			`describe('GET /api/v1/berth-reservations', () => {`
			`it('returns all reservations for the requesting port', async () => {`
			`const port = await makePort();`
			`const r1 = await seedReservation(port.id);`
			`const r2 = await seedReservation(port.id);`

			`const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });`
			`const res = await listHandler(`
			`makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations'),`
			`ctx,`
			`);`
			`expect(res.status).toBe(200);`

			`const body = await res.json();`
			`const ids = (body.data as Array<{ id: string }>).map((r) => r.id).sort();`
			`expect(ids).toEqual([r1.id, r2.id].sort());`
			`expect(body.pagination).toMatchObject({ page: 1, total: 2 });`
			`});`

			`it('does not leak reservations from a different port', async () => {`
			`const portA = await makePort();`
			`const portB = await makePort();`
			`const reservationInB = await seedReservation(portB.id);`

			`// Caller is operating in portA; portB's reservation must not appear.`
			`const ctx = makeMockCtx({ portId: portA.id, permissions: makeFullPermissions() });`
			`const res = await listHandler(`
			`makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations'),`
			`ctx,`
			`);`
			`expect(res.status).toBe(200);`

			`const body = await res.json();`
			`const ids = (body.data as Array<{ id: string }>).map((r) => r.id);`
			`expect(ids).not.toContain(reservationInB.id);`
			`});`

			`it('honors pagination via query params', async () => {`
			`const port = await makePort();`
			`await seedReservation(port.id);`
			`await seedReservation(port.id);`
			`await seedReservation(port.id);`

			`const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });`
			`const res = await listHandler(`
			`makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations?page=1&limit=2'),`
			`ctx,`
			`);`
			`expect(res.status).toBe(200);`

			`const body = await res.json();`
			`expect(body.data).toHaveLength(2);`
			`expect(body.pagination).toMatchObject({`
			`page: 1,`
			`pageSize: 2,`
			`total: 3,`
			`totalPages: 2,`
			`hasNextPage: true,`
			`hasPreviousPage: false,`
			`});`
			`});`
			`});`