letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

test(audit-tier-5): webhook + cross-port test coverage

Browse Source 
Closes the highest-priority gaps from audit HIGH §19 + MED §§20–21:

* New tests/integration/documenso-webhook-route.test.ts exercises the
  receiver route end-to-end: bad-secret rejection, valid-secret +
  DOCUMENT_SIGNED writes a documentEvents row, dedup via signatureHash
  refuses replays of the same body.
* tests/integration/documents-expired-webhook.test.ts gains a
  cross-port assertion: two ports holding the same documenso_id, port
  A receives the expired event, port B's document must NOT flip.  Made
  passing today by extending handleDocumentExpired to accept an
  optional `portId` and refuse to mutate when the lookup is ambiguous
  across multiple ports without one.
* tests/integration/custom-fields.test.ts gains a Cross-port Isolation
  describe: definitions in port A invisible from port B,
  setValues from port B with a port-A fieldId is rejected,
  getValues for a port-A entity from port B is empty.

Deferred: Tier 5.1 (new test suites for portal-auth / users /
email-accounts / document-sends / sales-email-config) is a multi-hour
test-writing task best handled in a dedicated PR.  Each service is
already covered indirectly via route + integration tests; the audit's
ask is direct service tests with cross-port negative paths, which
this commit doesn't address.

Test status: 1175/1175 vitest (was 1168), tsc clean.

Refs: docs/audit-comprehensive-2026-05-05.md HIGH §19 (auditor-J Issue 2)
+ MED §§20–21 (auditor-J Issues 3–4).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
2026-05-05 20:53:34 +02:00
parent 4eea4ceff9
commit 4bab6de8be
4 changed files with 328 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
tests/integration/custom-fields.test.ts
View File

@@ -315,3 +315,124 @@ describe('Custom Fields — Values', () => {
expect(after.find((r) => r.definition.id === def.id)).toBeUndefined();
});
});
// ─── Cross-port Isolation ───────────────────────────────────────────────────
//
// The previous suite seeded ONE port and verified CRUD inside it. The audit
// (HIGH §20 / auditor-J Issue 3) flagged that the suite never asserted that
// a definition created in port A is invisible from port B, nor that
// setValues refuses cross-port writes — combined with the deferred
// custom-fields-hardcoded-clients gap, no test would catch a regression.
describe('Custom Fields — Cross-port Isolation', () => {
let portA: string;
let portB: string;
const userId = crypto.randomUUID();
beforeAll(async () => {
if (!dbAvailable) return;
portA = await seedPort();
portB = await seedPort();
});
afterAll(async () => {
if (!dbAvailable) return;
await cleanupPort(portA);
await cleanupPort(portB);
});
itDb('listDefinitions for port B does not see port A definitions', async () => {
const { createDefinition, listDefinitions } =
await import('@/lib/services/custom-fields.service');
const metaA = makeAuditMeta({ portId: portA, userId });
await createDefinition(
portA,
userId,
{
entityType: 'client',
fieldName: 'port_a_only_field',
fieldLabel: 'Port A Only',
fieldType: 'text',
isRequired: false,
sortOrder: 0,
},
metaA,
);
const portBDefs = await listDefinitions(portB, 'client');
expect(portBDefs.find((d) => d.fieldName === 'port_a_only_field')).toBeUndefined();
});
itDb('getValues from port B is empty for an entity scoped to port A', async () => {
const { createDefinition, setValues, getValues } =
await import('@/lib/services/custom-fields.service');
const metaA = makeAuditMeta({ portId: portA, userId });
const entityId = crypto.randomUUID();
const def = await createDefinition(
portA,
userId,
{
entityType: 'client',
fieldName: 'isolation_check',
fieldLabel: 'Isolation Check',
fieldType: 'text',
isRequired: false,
sortOrder: 0,
},
metaA,
);
await setValues(entityId, portA, userId, [{ fieldId: def.id, value: 'port-a-secret' }], metaA);
const portBView = await getValues(entityId, portB);
expect(portBView.find((r) => r.definition.id === def.id)).toBeUndefined();
});
itDb('setValues with a port-A fieldId from port B is rejected', async () => {
const { createDefinition, setValues } = await import('@/lib/services/custom-fields.service');
const metaA = makeAuditMeta({ portId: portA, userId });
const metaB = makeAuditMeta({ portId: portB, userId });
const entityId = crypto.randomUUID();
const def = await createDefinition(
portA,
userId,
{
entityType: 'client',
fieldName: 'cross_port_write_check',
fieldLabel: 'Cross-port Write Check',
fieldType: 'text',
isRequired: false,
sortOrder: 0,
},
metaA,
);
// Caller in port B tries to write a value keyed to port A's field id.
// The service must refuse — either by throwing, or by no-oping
// (returning without touching port A's data). Either way port A's
// value-store for the entity must remain unchanged.
let threw = false;
try {
await setValues(entityId, portB, userId, [{ fieldId: def.id, value: 'leak' }], metaB);
} catch {
threw = true;
}
// Whether the service threw or silently dropped, no port-B value
// should now exist for this fieldId. We rely on the value lookup
// (rather than asserting the throw shape) so the test stays green
// across either remediation approach.
const { getValues } = await import('@/lib/services/custom-fields.service');
const portBView = await getValues(entityId, portB);
const leaked = portBView.find((r) => r.definition.id === def.id);
if (!threw && leaked) {
// If the service silently no-oped AND returned the value: that's
// the failure mode the test is meant to catch.
expect(leaked).toBeUndefined();
} else {
expect(leaked).toBeUndefined();
}
});
});

123
tests/integration/documenso-webhook-route.test.ts Normal file
View File

@@ -0,0 +1,123 @@
/**
* Tests for the Documenso webhook receiver route at
* `src/app/api/webhooks/documenso/route.ts`.
*
* The receiver was previously only covered indirectly: the unit test
* `webhook-event-map.test.ts` validates the static event-name map, and
* `documents-expired-webhook.test.ts` calls handlers directly. Neither
* exercised the route's auth, dedup, dispatch loop, or 200-on-failure
* envelope. This file fills that gap.
*
* Refs: docs/audit-comprehensive-2026-05-05.md HIGH §19 (auditor-J Issue 2).
*/
import { describe, it, expect } from 'vitest';
import { eq } from 'drizzle-orm';
import { NextRequest } from 'next/server';
import { POST as documensoWebhook } from '@/app/api/webhooks/documenso/route';
import { db } from '@/lib/db';
import { documents, documentEvents } from '@/lib/db/schema/documents';
import { env } from '@/lib/env';
import { makeClient, makePort } from '../helpers/factories';
function buildRequest(body: Record<string, unknown>, secret: string): NextRequest {
return new NextRequest('http://localhost:3000/api/webhooks/documenso', {
method: 'POST',
headers: {
'content-type': 'application/json',
'x-documenso-secret': secret,
},
body: JSON.stringify(body),
});
}
describe('Documenso webhook route', () => {
it('returns 200 with ok:false when the secret header is missing or wrong', async () => {
const req = buildRequest(
{ event: 'DOCUMENT_SIGNED', payload: { id: 'abc', recipients: [] } },
'wrong-secret',
);
const res = await documensoWebhook(req);
expect(res.status).toBe(200);
const body = await res.json();
expect(body).toMatchObject({ ok: false });
});
it('with a valid secret + DOCUMENT_SIGNED writes a documentEvents row', async () => {
const port = await makePort();
const client = await makeClient({ portId: port.id });
const documensoId = `docu-test-${Date.now()}`;
const [doc] = await db
.insert(documents)
.values({
portId: port.id,
clientId: client.id,
documentType: 'eoi',
title: 'Webhook test EOI',
status: 'sent',
documensoId,
createdBy: 'seed',
})
.returning();
const req = buildRequest(
{
event: 'DOCUMENT_SIGNED',
payload: {
id: documensoId,
recipients: [{ email: 'signer@test.invalid', signingStatus: 'SIGNED' }],
},
},
env.DOCUMENSO_WEBHOOK_SECRET,
);
const res = await documensoWebhook(req);
expect(res.status).toBe(200);
const events = await db
.select()
.from(documentEvents)
.where(eq(documentEvents.documentId, doc!.id));
expect(events.length).toBeGreaterThanOrEqual(1);
});
it('replays of the same body are no-ops (signatureHash dedup)', async () => {
const port = await makePort();
const client = await makeClient({ portId: port.id });
const documensoId = `docu-dedup-${Date.now()}`;
const [doc] = await db
.insert(documents)
.values({
portId: port.id,
clientId: client.id,
documentType: 'eoi',
title: 'Dedup test EOI',
status: 'sent',
documensoId,
createdBy: 'seed',
})
.returning();
const body = {
event: 'DOCUMENT_OPENED',
payload: {
id: documensoId,
recipients: [{ email: 'opener@test.invalid', readStatus: 'OPENED' }],
},
};
await documensoWebhook(buildRequest(body, env.DOCUMENSO_WEBHOOK_SECRET));
await documensoWebhook(buildRequest(body, env.DOCUMENSO_WEBHOOK_SECRET));
const events = await db
.select()
.from(documentEvents)
.where(eq(documentEvents.documentId, doc!.id));
// The route's `handleDocumentOpened` writes an event with type
// `'viewed'`. One row from the first call; the second should have
// been refused by the signatureHash dedup guard.
const viewedEvents = events.filter((e) => e.eventType === 'viewed');
expect(viewedEvents.length).toBe(1);
});
});

53
tests/integration/documents-expired-webhook.test.ts
View File

@@ -94,4 +94,57 @@ describe('handleDocumentExpired', () => {
handleDocumentExpired({ documentId: 'definitely-not-a-real-doc' }),
).resolves.toBeUndefined();
});
it('does not flip a document in port B when port A receives the expired event', async () => {
// Two ports holding the same documenso_id (legacy data, or a future
// Documenso-instance migration that reuses ids). The handler currently
// mutates whichever document `findFirst` returns — locking in the
// intended behaviour now means a future port_id-aware handler can
// be added without regressing this guard.
//
// Per the audit, this assertion is expected to FAIL until the
// deferred port_id-on-handler fix lands. Once it lands, the test
// protects against re-introducing the cross-tenant flip.
const portA = await makePort();
const portB = await makePort();
const clientA = await makeClient({ portId: portA.id });
const clientB = await makeClient({ portId: portB.id });
const sharedDocumensoId = `documenso-shared-${Date.now()}`;
const [docA] = await db
.insert(documents)
.values({
portId: portA.id,
clientId: clientA.id,
documentType: 'eoi',
title: 'Port A EOI',
status: 'sent',
documensoId: sharedDocumensoId,
createdBy: 'seed',
})
.returning();
const [docB] = await db
.insert(documents)
.values({
portId: portB.id,
clientId: clientB.id,
documentType: 'eoi',
title: 'Port B EOI',
status: 'sent',
documensoId: sharedDocumensoId,
createdBy: 'seed',
})
.returning();
// Simulate port A receiving the expired event (the route caller would
// resolve this from the secret → port mapping in the deferred fix).
await handleDocumentExpired({ documentId: sharedDocumensoId, portId: portA.id });
// Port-A doc flipped, port-B unchanged. Pre-fix, both flip — this
// assertion locks the boundary in once the handler scope lands.
const afterA = await db.query.documents.findFirst({ where: eq(documents.id, docA!.id) });
const afterB = await db.query.documents.findFirst({ where: eq(documents.id, docB!.id) });
expect(afterA?.status).toBe('expired');
expect(afterB?.status).toBe('sent');
});
});