john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/tests/integration/api.koha.test.js
TheFlow 2298d36bed fix(submissions): restructure Economist package and fix article display 
- Create Economist SubmissionTracking package correctly:
  * mainArticle = full blog post content
  * coverLetter = 216-word SIR— letter
  * Links to blog post via blogPostId
- Archive 'Letter to The Economist' from blog posts (it's the cover letter)
- Fix date display on article cards (use published_at)
- Target publication already displaying via blue badge

Database changes:
- Make blogPostId optional in SubmissionTracking model
- Economist package ID: 68fa85ae49d4900e7f2ecd83
- Le Monde package ID: 68fa2abd2e6acd5691932150

Next: Enhanced modal with tabs, validation, export

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-24 08:47:42 +13:00

342 lines
10 KiB
JavaScript
Raw Blame History

/**
* Integration Tests - Koha API (Donation System)
* Tests donation endpoints, authentication, and security features
*/
const request = require('supertest');
const { MongoClient, ObjectId } = require('mongodb');
const bcrypt = require('bcrypt');
const app = require('../../src/server');
const config = require('../../src/config/app.config');
describe('Koha API Integration Tests', () => {
let connection;
let db;
let adminToken;
let testDonationId;
let testSubscriptionId;
const adminUser = {
email: 'admin@koha.test.local',
password: 'AdminKoha123!',
role: 'admin'
};
// Connect to database and setup test data
beforeAll(async () => {
connection = await MongoClient.connect(config.mongodb.uri);
db = connection.db(config.mongodb.db);
// Clean up any existing test data
await db.collection('users').deleteMany({ email: adminUser.email });
await db.collection('koha_donations').deleteMany({ 'donor.email': /test.*@koha\.test/ });
// Create admin user
const adminHash = await bcrypt.hash(adminUser.password, 10);
await db.collection('users').insertOne({
email: adminUser.email,
password: adminHash,
name: 'Koha Test Admin',
role: adminUser.role,
created_at: new Date(),
active: true,
last_login: null
});
// Get admin token
const loginResponse = await request(app)
.post('/api/auth/login')
.send({
email: adminUser.email,
password: adminUser.password
});
adminToken = loginResponse.body.token;
// Create test donation with subscription
const result = await db.collection('koha_donations').insertOne({
amount: 1500, // $15.00
currency: 'nzd',
frequency: 'monthly',
tier: '15',
donor: {
name: 'Test Donor',
email: 'donor@koha.test',
country: 'NZ'
},
stripe: {
customer_id: 'cus_test123',
subscription_id: 'sub_test123'
},
status: 'completed',
created_at: new Date(),
updated_at: new Date()
});
testDonationId = result.insertedId.toString();
testSubscriptionId = 'sub_test123';
});
// Clean up test data
afterAll(async () => {
await db.collection('users').deleteMany({ email: adminUser.email });
await db.collection('koha_donations').deleteMany({ 'donor.email': /test.*@koha\.test/ });
if (testDonationId) {
await db.collection('koha_donations').deleteOne({ _id: new ObjectId(testDonationId) });
}
await connection.close();
});
describe('GET /api/koha/transparency', () => {
test('should return public transparency metrics', async () => {
const response = await request(app)
.get('/api/koha/transparency')
.expect(200);
expect(response.body).toHaveProperty('success', true);
expect(response.body).toHaveProperty('data');
expect(response.body.data).toHaveProperty('total_received');
expect(response.body.data).toHaveProperty('monthly_supporters');
expect(response.body.data).toHaveProperty('allocation');
});
});
describe('POST /api/koha/cancel', () => {
test('should require subscription ID and email', async () => {
const response = await request(app)
.post('/api/koha/cancel')
.send({})
.expect(400);
expect(response.body).toHaveProperty('error');
});
test('should reject cancellation with wrong email (security)', async () => {
const response = await request(app)
.post('/api/koha/cancel')
.send({
subscriptionId: testSubscriptionId,
email: 'wrong@email.com'
})
.expect(403);
expect(response.body).toHaveProperty('error');
expect(response.body.error).toContain('does not match');
});
test('should reject cancellation of non-existent subscription', async () => {
const response = await request(app)
.post('/api/koha/cancel')
.send({
subscriptionId: 'sub_nonexistent',
email: 'any@email.com'
})
.expect(404);
expect(response.body).toHaveProperty('error');
});
test('should allow cancellation with correct email', async () => {
// Skip if Stripe is not configured
if (!process.env.STRIPE_SECRET_KEY || process.env.STRIPE_SECRET_KEY.includes('PLACEHOLDER')) {
console.warn('Skipping test: Stripe not configured');
return;
}
const response = await request(app)
.post('/api/koha/cancel')
.send({
subscriptionId: testSubscriptionId,
email: 'donor@koha.test'
});
// Will fail with Stripe error in test environment, but should pass email verification
// The 500 error would be from Stripe, not from email validation
expect([200, 500]).toContain(response.status);
});
test('should be rate limited after 10 attempts', async () => {
// Make 11 requests rapidly
const requests = [];
for (let i = 0; i < 11; i++) {
requests.push(
request(app)
.post('/api/koha/cancel')
.send({
subscriptionId: 'sub_test',
email: `test${i}@rate-limit.test`
})
);
}
const responses = await Promise.all(requests);
// At least one should be rate limited (429)
const rateLimited = responses.some(r => r.status === 429);
expect(rateLimited).toBe(true);
}, 30000); // Increase timeout for rate limit test
});
describe('GET /api/koha/statistics (Admin Only)', () => {
test('should require authentication', async () => {
const response = await request(app)
.get('/api/koha/statistics')
.expect(401);
expect(response.body).toHaveProperty('error');
});
test('should require admin role', async () => {
// Create regular user
const regularUser = {
email: 'user@koha.test.local',
password: 'UserKoha123!'
};
const userHash = await bcrypt.hash(regularUser.password, 10);
await db.collection('users').insertOne({
email: regularUser.email,
password: userHash,
name: 'Regular User',
role: 'user',
created_at: new Date(),
active: true
});
// Get user token
const loginResponse = await request(app)
.post('/api/auth/login')
.send({
email: regularUser.email,
password: regularUser.password
});
const userToken = loginResponse.body.token;
// Try to access admin endpoint
const response = await request(app)
.get('/api/koha/statistics')
.set('Authorization', `Bearer ${userToken}`)
.expect(403);
expect(response.body).toHaveProperty('error');
// Clean up
await db.collection('users').deleteOne({ email: regularUser.email });
});
test('should return statistics with admin auth', async () => {
const response = await request(app)
.get('/api/koha/statistics')
.set('Authorization', `Bearer ${adminToken}`)
.expect(200);
expect(response.body).toHaveProperty('success', true);
expect(response.body).toHaveProperty('data');
expect(response.body.data).toHaveProperty('total_count');
expect(response.body.data).toHaveProperty('total_amount');
expect(response.body.data).toHaveProperty('by_frequency');
});
test('should support date range filtering', async () => {
const startDate = '2025-01-01';
const endDate = '2025-12-31';
const response = await request(app)
.get(`/api/koha/statistics?startDate=${startDate}&endDate=${endDate}`)
.set('Authorization', `Bearer ${adminToken}`)
.expect(200);
expect(response.body).toHaveProperty('success', true);
});
});
describe('POST /api/koha/checkout (Rate Limiting)', () => {
test('should be rate limited after 10 attempts', async () => {
// Skip if Stripe is not configured
if (!process.env.STRIPE_SECRET_KEY || process.env.STRIPE_SECRET_KEY.includes('PLACEHOLDER')) {
console.warn('Skipping test: Stripe not configured');
return;
}
const requests = [];
for (let i = 0; i < 11; i++) {
requests.push(
request(app)
.post('/api/koha/checkout')
.send({
amount: 500,
frequency: 'one_time',
donor: {
name: 'Test Donor',
email: `test${i}@rate-limit.test`,
country: 'NZ'
}
})
);
}
const responses = await Promise.all(requests);
// At least one should be rate limited (429)
const rateLimited = responses.some(r => r.status === 429);
expect(rateLimited).toBe(true);
}, 30000); // Increase timeout for rate limit test
});
describe('Security Validations', () => {
test('should validate minimum donation amount', async () => {
const response = await request(app)
.post('/api/koha/checkout')
.send({
amount: 50, // Less than minimum (100 = $1.00)
frequency: 'one_time',
donor: {
email: 'test@security.test'
}
})
.expect(400);
expect(response.body).toHaveProperty('error');
});
test('should validate required fields for checkout', async () => {
const response = await request(app)
.post('/api/koha/checkout')
.send({
// Missing amount, frequency, donor.email
})
.expect(400);
expect(response.body).toHaveProperty('error');
});
test('should validate frequency values', async () => {
const response = await request(app)
.post('/api/koha/checkout')
.send({
amount: 1000,
frequency: 'invalid_frequency',
donor: {
email: 'test@security.test'
}
})
.expect(400);
expect(response.body).toHaveProperty('error');
});
test('should validate tier for monthly donations', async () => {
const response = await request(app)
.post('/api/koha/checkout')
.send({
amount: 1000,
frequency: 'monthly',
tier: 'invalid_tier',
donor: {
email: 'test@security.test'
}
})
.expect(400);
expect(response.body).toHaveProperty('error');
});
});
});
Reference in a new issue View git blame Copy permalink