test(audit-fixes): cover the new permission and webhook surfaces
Adds integration coverage for the routes / handlers shipped in the preceding audit-fix commits, plus refactors two route files to expose inner handlers from a sibling `handlers.ts` (the pattern used elsewhere in `src/app/api/v1`) so tests can call them without the `withAuth(withPermission(…))` wrapper. New tests (18 cases across 4 files): - `tests/integration/portal-auth.test.ts` (6) — verifyPortalToken rejects tokens missing `aud: 'portal'` or `iss: 'pn-crm'`, with the wrong audience (CRM-session-replay shape) or wrong issuer, plus a round-trip happy path. Locks in the portal-vs-CRM token isolation. - `tests/integration/api/saved-views-ownership.test.ts` (6) — patch and delete handlers return 403 for a different user, 404 for an unknown id or cross-port id, and 200 for the owner. Ownership is enforced at the route layer regardless of the service's internal filtering. - `tests/integration/api/berth-reservations-list.test.ts` (3) — the new global list returns rows for the current port only and honors pagination params. A reservation in a different port never leaks. - `tests/integration/documents-expired-webhook.test.ts` (3) — handleDocumentExpired flips the document to `expired`, also flips the linked interest's `eoiStatus`, writes a `documentEvents` row, and is a no-op (not a throw) when the documensoId is unknown. Refactors: - `src/app/api/v1/saved-views/[id]/route.ts` extracts `patchHandler` / `deleteHandler` (and the shared `assertViewOwner`) into `handlers.ts`. The route file is now a 4-line `withAuth(handler)` wrapper. - `src/app/api/v1/berth-reservations/route.ts` extracts `listHandler` similarly. Tests import directly from `handlers.ts`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
102
tests/integration/api/berth-reservations-list.test.ts
Normal file
102
tests/integration/api/berth-reservations-list.test.ts
Normal file
@@ -0,0 +1,102 @@
|
||||
/**
|
||||
* Port-scoped global reservations list — locks in feat(marina): the new
|
||||
* `GET /api/v1/berth-reservations` endpoint that powers the
|
||||
* `[portSlug]/berth-reservations` page. The route is thin (parseQuery →
|
||||
* listReservations); the test guarantees port scoping at the handler
|
||||
* boundary so a future refactor of the service can't accidentally leak
|
||||
* cross-port rows.
|
||||
*/
|
||||
import { describe, it, expect } from 'vitest';
|
||||
|
||||
import { listHandler } from '@/app/api/v1/berth-reservations/handlers';
|
||||
import { createHandler as createReservationHandler } from '@/app/api/v1/berths/[id]/reservations/handlers';
|
||||
import { makeMockCtx, makeMockRequest } from '../../helpers/route-tester';
|
||||
import {
|
||||
makeBerth,
|
||||
makeClient,
|
||||
makeFullPermissions,
|
||||
makePort,
|
||||
makeYacht,
|
||||
} from '../../helpers/factories';
|
||||
|
||||
async function seedReservation(portId: string) {
|
||||
const berth = await makeBerth({ portId });
|
||||
const client = await makeClient({ portId });
|
||||
const yacht = await makeYacht({ portId, ownerType: 'client', ownerId: client.id });
|
||||
const ctx = makeMockCtx({ portId, permissions: makeFullPermissions() });
|
||||
const res = await createReservationHandler(
|
||||
makeMockRequest('POST', `http://localhost/api/v1/berths/${berth.id}/reservations`, {
|
||||
body: {
|
||||
clientId: client.id,
|
||||
yachtId: yacht.id,
|
||||
startDate: new Date().toISOString(),
|
||||
},
|
||||
}),
|
||||
ctx,
|
||||
{ id: berth.id },
|
||||
);
|
||||
return (await res.json()).data as { id: string; berthId: string };
|
||||
}
|
||||
|
||||
describe('GET /api/v1/berth-reservations', () => {
|
||||
it('returns all reservations for the requesting port', async () => {
|
||||
const port = await makePort();
|
||||
const r1 = await seedReservation(port.id);
|
||||
const r2 = await seedReservation(port.id);
|
||||
|
||||
const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
||||
const res = await listHandler(
|
||||
makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations'),
|
||||
ctx,
|
||||
);
|
||||
expect(res.status).toBe(200);
|
||||
|
||||
const body = await res.json();
|
||||
const ids = (body.data as Array<{ id: string }>).map((r) => r.id).sort();
|
||||
expect(ids).toEqual([r1.id, r2.id].sort());
|
||||
expect(body.pagination).toMatchObject({ page: 1, total: 2 });
|
||||
});
|
||||
|
||||
it('does not leak reservations from a different port', async () => {
|
||||
const portA = await makePort();
|
||||
const portB = await makePort();
|
||||
const reservationInB = await seedReservation(portB.id);
|
||||
|
||||
// Caller is operating in portA; portB's reservation must not appear.
|
||||
const ctx = makeMockCtx({ portId: portA.id, permissions: makeFullPermissions() });
|
||||
const res = await listHandler(
|
||||
makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations'),
|
||||
ctx,
|
||||
);
|
||||
expect(res.status).toBe(200);
|
||||
|
||||
const body = await res.json();
|
||||
const ids = (body.data as Array<{ id: string }>).map((r) => r.id);
|
||||
expect(ids).not.toContain(reservationInB.id);
|
||||
});
|
||||
|
||||
it('honors pagination via query params', async () => {
|
||||
const port = await makePort();
|
||||
await seedReservation(port.id);
|
||||
await seedReservation(port.id);
|
||||
await seedReservation(port.id);
|
||||
|
||||
const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
||||
const res = await listHandler(
|
||||
makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations?page=1&limit=2'),
|
||||
ctx,
|
||||
);
|
||||
expect(res.status).toBe(200);
|
||||
|
||||
const body = await res.json();
|
||||
expect(body.data).toHaveLength(2);
|
||||
expect(body.pagination).toMatchObject({
|
||||
page: 1,
|
||||
pageSize: 2,
|
||||
total: 3,
|
||||
totalPages: 2,
|
||||
hasNextPage: true,
|
||||
hasPreviousPage: false,
|
||||
});
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user