letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
e2b5898efca0fb1e3945e4118dbbdd0dd6fa314f
pn-new-crm/tests/integration/ownership-transfer.test.ts
Matt e2b5898efc
Some checks failed
Build & Push Docker Images / lint (push) Successful in 1m31s
Details
Build & Push Docker Images / build-and-push (push) Has been cancelled
Details
chore(deps): bump next 15.2.9→15.5.18 + drizzle-orm 0.38.4→0.45.2 (Phase 1b/c) 
Security-driven version bumps; both stay within their existing major.

next 15.2.9 → 15.5.18 closes (1 high + 6 moderate next-specific CVEs):
- DoS via Server Components (high)
- Image Optimizer cache key confusion / content injection (moderate)
- Improper middleware redirect handling → SSRF (moderate)
- HTTP request smuggling in rewrites (moderate)
- Unbounded next/image disk cache growth → storage exhaustion (moderate)
- Self-hosted DoS via Image Optimizer remotePatterns (moderate)

drizzle-orm 0.38.4 → 0.45.2 closes:
- SQL injection via improperly escaped SQL identifiers (high)

Drizzle 0.45 changed query-error wrapping: outer Error.message is now
generic ("Failed query: insert into ...") with the postgres error on
.cause. Two integration test suites updated to assert on
cause.code === '23505' (postgres unique_violation) instead of message
regex — more robust + unambiguous.

eslint-config-next bumped 15.2.9 → 15.5.18 to match.
drizzle-kit bumped 0.30.6 → 0.31.10 to match.

Note: next-env.d.ts is auto-generated by next at build time; not
committed here (the new triple-slash routes reference would fail the
project's eslint rule, and CI regenerates it anyway).

Tests: 1185/1185 vitest passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 16:34:01 +02:00

77 lines
2.8 KiB
TypeScript
Raw Blame History

import { describe, it, expect } from 'vitest';
import { transferOwnership } from '@/lib/services/yachts.service';
import { makeClient, makePort, makeYacht, makeAuditMeta } from '../helpers/factories';
import { db } from '@/lib/db';
import { yachtOwnershipHistory, yachts } from '@/lib/db/schema';
import { eq } from 'drizzle-orm';
describe('transferOwnership', () => {
it('closes prior history row and opens a new one atomically', async () => {
const port = await makePort();
const clientA = await makeClient({ portId: port.id });
const clientB = await makeClient({ portId: port.id });
const yacht = await makeYacht({ portId: port.id, ownerType: 'client', ownerId: clientA.id });
await transferOwnership(
yacht.id,
port.id,
{
newOwner: { type: 'client', id: clientB.id },
effectiveDate: new Date(),
transferReason: 'sale',
},
makeAuditMeta(),
);
const history = await db
.select()
.from(yachtOwnershipHistory)
.where(eq(yachtOwnershipHistory.yachtId, yacht.id));
expect(history).toHaveLength(2);
const [prior, current] = history.sort((a, b) => a.startDate.getTime() - b.startDate.getTime());
expect(prior!.endDate).not.toBeNull();
expect(current!.endDate).toBeNull();
expect(current!.ownerId).toBe(clientB.id);
const updatedYacht = await db.query.yachts.findFirst({ where: eq(yachts.id, yacht.id) });
expect(updatedYacht!.currentOwnerId).toBe(clientB.id);
});
it('rejects when newOwner = currentOwner (no-op)', async () => {
const port = await makePort();
const client = await makeClient({ portId: port.id });
const yacht = await makeYacht({ portId: port.id, ownerType: 'client', ownerId: client.id });
await expect(
transferOwnership(
yacht.id,
port.id,
{ newOwner: { type: 'client', id: client.id }, effectiveDate: new Date() },
makeAuditMeta(),
),
).rejects.toThrow(/same owner/i);
});
it('partial unique index prevents concurrent double-open ownership rows', async () => {
// Prior to the atomic close-then-open, a naive impl would insert a new open row
// without closing the old one. Verify this would be blocked at the DB level.
const port = await makePort();
const clientA = await makeClient({ portId: port.id });
const clientB = await makeClient({ portId: port.id });
const yacht = await makeYacht({ portId: port.id, ownerType: 'client', ownerId: clientA.id });
await expect(
db.insert(yachtOwnershipHistory).values({
yachtId: yacht.id,
ownerType: 'client',
ownerId: clientB.id,
startDate: new Date(),
endDate: null,
createdBy: 'test',
}),
).rejects.toMatchObject({
cause: expect.objectContaining({ code: '23505' }),
});
});
});
Reference in New Issue View Git Blame Copy Permalink