e42b8fde84
Adds four realapi specs that gate cleanly on env: smtp-system-send (roundtrip + attachment bytes), email-attachments-roundtrip (cross-port 403), documenso-cancel (in-flight cancel → status flip), minio-file-lifecycle (upload/list/download/delete byte-equal). Specs skip without DOCUMENSO_API_*/SMTP/IMAP/MINIO env so they run as no-ops when those services aren't reachable. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
42 lines
1.4 KiB
TypeScript
42 lines
1.4 KiB
TypeScript
import 'dotenv/config';
|
|
import { test, expect } from '@playwright/test';
|
|
|
|
import { login, apiHeaders } from '../smoke/helpers';
|
|
|
|
/**
|
|
* Real-API spec covering attachment cross-port enforcement (Phase A PR8).
|
|
*
|
|
* The hot-path SMTP+IMAP roundtrip is exercised by smtp-system-send.spec.ts.
|
|
* This spec specifically verifies that attaching a fileId from a different
|
|
* port returns 403 *before* SMTP is touched.
|
|
*
|
|
* Requires SMTP_HOST + a second port slug (PHASE_A_OTHER_PORT_SLUG) seeded
|
|
* with a file the calling user cannot reach. Skips otherwise.
|
|
*/
|
|
|
|
const SMTP_HOST = process.env.SMTP_HOST;
|
|
const OTHER_PORT_FILE_ID = process.env.PHASE_A_CROSS_PORT_FILE_ID;
|
|
|
|
test.describe('Email attachments — port isolation', () => {
|
|
test.skip(!SMTP_HOST || !OTHER_PORT_FILE_ID, 'cross-port fixture not configured');
|
|
|
|
test.beforeEach(async ({ page }) => {
|
|
await login(page, 'super_admin');
|
|
});
|
|
|
|
test('rejects cross-port fileId with 403 before SMTP', async ({ page }) => {
|
|
const headers = await apiHeaders(page);
|
|
const res = await page.request.post('/api/v1/email/compose', {
|
|
headers,
|
|
data: {
|
|
senderType: 'system',
|
|
to: ['noop@example.test'],
|
|
subject: 'cross-port attempt',
|
|
bodyHtml: '<p>should fail before SMTP</p>',
|
|
attachments: [{ fileId: OTHER_PORT_FILE_ID! }],
|
|
},
|
|
});
|
|
expect(res.status()).toBe(403);
|
|
});
|
|
});
|