e8d61c91c4
Residential platform - New schema: residentialClients, residentialInterests (separate from marina/yacht clients) with migration 0010 - Service layer with CRUD + audit + sockets + per-port portal toggle - v1 + public API routes (/api/v1/residential/*, /api/public/residential-inquiries) - List + detail pages with inline editing for clients and interests - Per-user residentialAccess toggle on userPortRoles (migration 0011) - Permission keys: residential_clients, residential_interests - Sidebar nav + role form integration - Smoke spec covering page loads, UI create flow, public endpoint Admin & shared UI - Admin → Forms (form templates CRUD) with validators + service - Notification preferences page (in-app + email per type) - Email composition + accounts list + threads view - Branded auth shell shared across CRM + portal auth surfaces - Inline editing extended to yacht/company/interest detail pages - InlineTagEditor + per-entity tags endpoints (yachts, companies) - Notes service polymorphic across clients/interests/yachts/companies - Client list columns: yachtCount + companyCount badges - Reservation file-download via presigned URL (replaces stale <a href>) Route handler refactor - Extracted yachts/companies/berths reservation handlers to sibling handlers.ts files (Next.js 15 route.ts only allows specific exports) Reliability fixes - apiFetch double-stringify bug fixed across 13 components (apiFetch already JSON.stringifies its body; passing a stringified body produced double-encoded JSON which failed zod validation) - SocketProvider gated behind useSyncExternalStore-based mount check to avoid useSession() SSR crashes under React 19 + Next 15 - apiFetch falls back to URL-pathname → port-id resolution when the Zustand store hasn't hydrated yet (fresh contexts, e2e tests) - CRM invite flow (schema, service, route, email, dev script) - Dashboard route → [portSlug]/dashboard/page.tsx + redirect - Document the dev-server restart-after-migration gotcha in CLAUDE.md Tests - 5-case residential smoke spec - Integration test updates for new service signatures Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
353 lines
13 KiB
TypeScript
353 lines
13 KiB
TypeScript
import { describe, it, expect } from 'vitest';
|
|
|
|
import { getHandler, patchHandler, deleteHandler } from '@/app/api/v1/yachts/[id]/handlers';
|
|
import { transferHandler } from '@/app/api/v1/yachts/[id]/transfer/route';
|
|
import { historyHandler } from '@/app/api/v1/yachts/[id]/ownership-history/route';
|
|
import { autocompleteHandler } from '@/app/api/v1/yachts/autocomplete/route';
|
|
import { withPermission } from '@/lib/api/helpers';
|
|
import { db } from '@/lib/db';
|
|
import { yachts } from '@/lib/db/schema';
|
|
import { eq } from 'drizzle-orm';
|
|
import { makeMockCtx, makeMockRequest } from '../../helpers/route-tester';
|
|
import {
|
|
makePort,
|
|
makeClient,
|
|
makeCompany,
|
|
makeYacht,
|
|
makeFullPermissions,
|
|
makeSalesAgentPermissions,
|
|
} from '../../helpers/factories';
|
|
|
|
describe('GET /api/v1/yachts/[id]', () => {
|
|
it('returns the yacht for valid id + port', async () => {
|
|
const port = await makePort();
|
|
const client = await makeClient({ portId: port.id });
|
|
const yacht = await makeYacht({
|
|
portId: port.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
name: 'Detail Yacht',
|
|
});
|
|
const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest('GET', `http://localhost/api/v1/yachts/${yacht.id}`);
|
|
const res = await getHandler(req, ctx, { id: yacht.id });
|
|
expect(res.status).toBe(200);
|
|
const body = await res.json();
|
|
expect(body.data.id).toBe(yacht.id);
|
|
expect(body.data.name).toBe('Detail Yacht');
|
|
});
|
|
|
|
it('returns 404 for wrong port (tenant isolation)', async () => {
|
|
const portA = await makePort();
|
|
const portB = await makePort();
|
|
const client = await makeClient({ portId: portA.id });
|
|
const yacht = await makeYacht({
|
|
portId: portA.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
});
|
|
const ctx = makeMockCtx({ portId: portB.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest('GET', `http://localhost/api/v1/yachts/${yacht.id}`);
|
|
const res = await getHandler(req, ctx, { id: yacht.id });
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('returns 404 for non-existent id', async () => {
|
|
const port = await makePort();
|
|
const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest('GET', 'http://localhost/api/v1/yachts/does-not-exist');
|
|
const res = await getHandler(req, ctx, { id: 'does-not-exist' });
|
|
expect(res.status).toBe(404);
|
|
});
|
|
});
|
|
|
|
describe('PATCH /api/v1/yachts/[id]', () => {
|
|
it('updates allowed fields', async () => {
|
|
const port = await makePort();
|
|
const client = await makeClient({ portId: port.id });
|
|
const yacht = await makeYacht({
|
|
portId: port.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
name: 'Before',
|
|
});
|
|
const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest('PATCH', `http://localhost/api/v1/yachts/${yacht.id}`, {
|
|
body: { name: 'After', notes: 'updated notes' },
|
|
});
|
|
const res = await patchHandler(req, ctx, { id: yacht.id });
|
|
expect(res.status).toBe(200);
|
|
const body = await res.json();
|
|
expect(body.data.name).toBe('After');
|
|
expect(body.data.notes).toBe('updated notes');
|
|
});
|
|
|
|
it('returns 400 when attempting to set currentOwnerId (defensive guard)', async () => {
|
|
const port = await makePort();
|
|
const client = await makeClient({ portId: port.id });
|
|
const yacht = await makeYacht({
|
|
portId: port.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
});
|
|
const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
|
// Validator strips owner fields, so we need to bypass it to reach the service's defensive guard.
|
|
// Test the service layer defense by calling the handler with a payload that the validator
|
|
// would accept but which also contains an unknown field that matches the forbidden keys.
|
|
// Actually the validator just omits `owner` — additional keys `currentOwnerId` etc. pass
|
|
// through Zod's .partial() (which still omits unknown keys by default).
|
|
// Zod .strip() is default, so unknown keys are dropped: we assert on the service directly.
|
|
const { updateYacht } = await import('@/lib/services/yachts.service');
|
|
await expect(
|
|
updateYacht(
|
|
yacht.id,
|
|
port.id,
|
|
{ currentOwnerId: 'evil' } as unknown as Parameters<typeof updateYacht>[2],
|
|
{
|
|
userId: ctx.userId,
|
|
portId: port.id,
|
|
ipAddress: ctx.ipAddress,
|
|
userAgent: ctx.userAgent,
|
|
},
|
|
),
|
|
).rejects.toMatchObject({ statusCode: 400 });
|
|
});
|
|
|
|
it('returns 404 for cross-tenant', async () => {
|
|
const portA = await makePort();
|
|
const portB = await makePort();
|
|
const client = await makeClient({ portId: portA.id });
|
|
const yacht = await makeYacht({
|
|
portId: portA.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
});
|
|
const ctx = makeMockCtx({ portId: portB.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest('PATCH', `http://localhost/api/v1/yachts/${yacht.id}`, {
|
|
body: { name: 'hijack' },
|
|
});
|
|
const res = await patchHandler(req, ctx, { id: yacht.id });
|
|
expect(res.status).toBe(404);
|
|
});
|
|
});
|
|
|
|
describe('DELETE /api/v1/yachts/[id]', () => {
|
|
it('archives the yacht (returns 204)', async () => {
|
|
const port = await makePort();
|
|
const client = await makeClient({ portId: port.id });
|
|
const yacht = await makeYacht({
|
|
portId: port.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
});
|
|
const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest('DELETE', `http://localhost/api/v1/yachts/${yacht.id}`);
|
|
const res = await deleteHandler(req, ctx, { id: yacht.id });
|
|
expect(res.status).toBe(204);
|
|
const [row] = await db.select().from(yachts).where(eq(yachts.id, yacht.id));
|
|
expect(row?.archivedAt).not.toBeNull();
|
|
});
|
|
|
|
it('returns 404 for cross-tenant', async () => {
|
|
const portA = await makePort();
|
|
const portB = await makePort();
|
|
const client = await makeClient({ portId: portA.id });
|
|
const yacht = await makeYacht({
|
|
portId: portA.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
});
|
|
const ctx = makeMockCtx({ portId: portB.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest('DELETE', `http://localhost/api/v1/yachts/${yacht.id}`);
|
|
const res = await deleteHandler(req, ctx, { id: yacht.id });
|
|
expect(res.status).toBe(404);
|
|
});
|
|
});
|
|
|
|
describe('POST /api/v1/yachts/[id]/transfer', () => {
|
|
it('transfers ownership (200) when caller has yachts.transfer', async () => {
|
|
const port = await makePort();
|
|
const client = await makeClient({ portId: port.id });
|
|
const company = await makeCompany({ portId: port.id });
|
|
const yacht = await makeYacht({
|
|
portId: port.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
});
|
|
const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest('POST', `http://localhost/api/v1/yachts/${yacht.id}/transfer`, {
|
|
body: {
|
|
newOwner: { type: 'company', id: company.id },
|
|
effectiveDate: new Date().toISOString(),
|
|
transferReason: 'sale',
|
|
},
|
|
});
|
|
const res = await transferHandler(req, ctx, { id: yacht.id });
|
|
expect(res.status).toBe(200);
|
|
const body = await res.json();
|
|
expect(body.data.currentOwnerType).toBe('company');
|
|
expect(body.data.currentOwnerId).toBe(company.id);
|
|
});
|
|
|
|
it('returns 403 when caller lacks yachts.transfer (only has yachts.edit)', async () => {
|
|
const port = await makePort();
|
|
const client = await makeClient({ portId: port.id });
|
|
const company = await makeCompany({ portId: port.id });
|
|
const yacht = await makeYacht({
|
|
portId: port.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
});
|
|
const gated = withPermission('yachts', 'transfer', transferHandler);
|
|
const ctx = makeMockCtx({ portId: port.id, permissions: makeSalesAgentPermissions() });
|
|
const req = makeMockRequest('POST', `http://localhost/api/v1/yachts/${yacht.id}/transfer`, {
|
|
body: {
|
|
newOwner: { type: 'company', id: company.id },
|
|
effectiveDate: new Date().toISOString(),
|
|
},
|
|
});
|
|
const res = await gated(req, ctx, { id: yacht.id });
|
|
expect(res.status).toBe(403);
|
|
});
|
|
|
|
it('returns 400 when newOwner === currentOwner', async () => {
|
|
const port = await makePort();
|
|
const client = await makeClient({ portId: port.id });
|
|
const yacht = await makeYacht({
|
|
portId: port.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
});
|
|
const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest('POST', `http://localhost/api/v1/yachts/${yacht.id}/transfer`, {
|
|
body: {
|
|
newOwner: { type: 'client', id: client.id },
|
|
effectiveDate: new Date().toISOString(),
|
|
},
|
|
});
|
|
const res = await transferHandler(req, ctx, { id: yacht.id });
|
|
expect(res.status).toBe(400);
|
|
});
|
|
});
|
|
|
|
describe('GET /api/v1/yachts/[id]/ownership-history', () => {
|
|
it('returns full history sorted by startDate DESC', async () => {
|
|
const port = await makePort();
|
|
const client = await makeClient({ portId: port.id });
|
|
const company = await makeCompany({ portId: port.id });
|
|
const yacht = await makeYacht({
|
|
portId: port.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
});
|
|
// Transfer to create a second history row
|
|
const ctxFull = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
|
const transferReq = makeMockRequest(
|
|
'POST',
|
|
`http://localhost/api/v1/yachts/${yacht.id}/transfer`,
|
|
{
|
|
body: {
|
|
newOwner: { type: 'company', id: company.id },
|
|
effectiveDate: new Date().toISOString(),
|
|
transferReason: 'sale',
|
|
},
|
|
},
|
|
);
|
|
const transferRes = await transferHandler(transferReq, ctxFull, { id: yacht.id });
|
|
expect(transferRes.status).toBe(200);
|
|
|
|
const req = makeMockRequest(
|
|
'GET',
|
|
`http://localhost/api/v1/yachts/${yacht.id}/ownership-history`,
|
|
);
|
|
const res = await historyHandler(req, ctxFull, { id: yacht.id });
|
|
expect(res.status).toBe(200);
|
|
const body = await res.json();
|
|
expect(body.data).toHaveLength(2);
|
|
// Sorted DESC by startDate — newest first
|
|
const firstStart = new Date(body.data[0].startDate).getTime();
|
|
const secondStart = new Date(body.data[1].startDate).getTime();
|
|
expect(firstStart).toBeGreaterThanOrEqual(secondStart);
|
|
});
|
|
|
|
it('returns 404 for cross-tenant yacht', async () => {
|
|
const portA = await makePort();
|
|
const portB = await makePort();
|
|
const client = await makeClient({ portId: portA.id });
|
|
const yacht = await makeYacht({
|
|
portId: portA.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
});
|
|
const ctx = makeMockCtx({ portId: portB.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest(
|
|
'GET',
|
|
`http://localhost/api/v1/yachts/${yacht.id}/ownership-history`,
|
|
);
|
|
const res = await historyHandler(req, ctx, { id: yacht.id });
|
|
expect(res.status).toBe(404);
|
|
});
|
|
});
|
|
|
|
describe('GET /api/v1/yachts/autocomplete', () => {
|
|
it('returns matching yachts by name', async () => {
|
|
const port = await makePort();
|
|
const client = await makeClient({ portId: port.id });
|
|
await makeYacht({
|
|
portId: port.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
name: 'AutoCompleteMatch One',
|
|
});
|
|
await makeYacht({
|
|
portId: port.id,
|
|
ownerType: 'client',
|
|
ownerId: client.id,
|
|
name: 'OtherName',
|
|
});
|
|
const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest(
|
|
'GET',
|
|
'http://localhost/api/v1/yachts/autocomplete?q=AutoCompleteMatch',
|
|
);
|
|
const res = await autocompleteHandler(req, ctx, {});
|
|
expect(res.status).toBe(200);
|
|
const body = await res.json();
|
|
expect(body.data.length).toBeGreaterThanOrEqual(1);
|
|
expect(body.data.every((y: { name: string }) => y.name.includes('AutoCompleteMatch'))).toBe(
|
|
true,
|
|
);
|
|
});
|
|
|
|
it('returns empty array when q is missing', async () => {
|
|
const port = await makePort();
|
|
const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest('GET', 'http://localhost/api/v1/yachts/autocomplete');
|
|
const res = await autocompleteHandler(req, ctx, {});
|
|
expect(res.status).toBe(200);
|
|
const body = await res.json();
|
|
expect(body.data).toEqual([]);
|
|
});
|
|
|
|
it('is tenant-scoped', async () => {
|
|
const portA = await makePort();
|
|
const portB = await makePort();
|
|
const clientA = await makeClient({ portId: portA.id });
|
|
await makeYacht({
|
|
portId: portA.id,
|
|
ownerType: 'client',
|
|
ownerId: clientA.id,
|
|
name: 'TenantScopedYachtXYZ',
|
|
});
|
|
const ctx = makeMockCtx({ portId: portB.id, permissions: makeFullPermissions() });
|
|
const req = makeMockRequest(
|
|
'GET',
|
|
'http://localhost/api/v1/yachts/autocomplete?q=TenantScopedYachtXYZ',
|
|
);
|
|
const res = await autocompleteHandler(req, ctx, {});
|
|
expect(res.status).toBe(200);
|
|
const body = await res.json();
|
|
expect(body.data).toEqual([]);
|
|
});
|
|
});
|