max / makenotwork

Fix integration tests for CSRF rotation, hashed API keys, and schema changes - Add MockPaymentProvider impls for pause/resume/cancel_subscription - Add wam_url field to test Config initializers - Re-fetch CSRF token after signup/login (token now rotated on auth) - Migrate sync_apps test inserts from api_key to api_key_hash/api_key_prefix - Update CSV header assertion to include Email column - Fix subscription tier test to clean up orphaned rows from failed Stripe step - Update tier enforcement storage cap from 10 GB to 250 GB - Reset TOTP anti-replay counter in login test to avoid same-window rejection - Remove unused variables in mock payment tests All 1,399 tests pass (717 unit + 634 integration + 48 other). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Max J. <87768334+MaxJMath@users.noreply.github.com> · 2026-04-26 23:04 UTC

Commit: 9ee585b801c89c811ea47ae61ac73f4ee33bc31e

Parent: bd5a7ab

14 files changed, +93 insertions, -34 deletions

M server/tests/harness/mod.rs +13

			@@ -6,6 +6,12 @@ pub mod email;
6	6		pub mod storage;
7	7		pub mod stripe;
8	8
	9	+	/// Compute SHA-256 hash of a SyncKit API key (mirrors server's hash_api_key).
	10	+	pub fn hash_api_key(api_key: &str) -> String {
	11	+	use sha2::Digest;
	12	+	hex::encode(sha2::Sha256::digest(api_key.as_bytes()))
	13	+	}
	14	+
9	15		use makenotwork::config::{Config, ScanConfig, StripeConfig};
10	16		use docengine::DocLoader;
11	17		use makenotwork::email::{EmailClient, EmailConfig};
			@@ -259,6 +265,7 @@ impl TestHarness {
259	265		postmark_inbound_webhook_token: opts.postmark_inbound_webhook_token,
260	266		internal_shared_secret: opts.internal_shared_secret.clone(),
261	267		cli_service_token: opts.cli_service_token.clone(),
	268	+	wam_url: None,
262	269		};
263	270
264	271		let mock_email_ref = opts.mock_email.clone();
			@@ -355,6 +362,9 @@ impl TestHarness {
355	362		resp.text
356	363		);
357	364
	365	+	// Login rotates the CSRF token — fetch the new one
	366	+	self.client.fetch_csrf_token().await;
	367	+
358	368		// Look up the user in the database
359	369		sqlx::query_scalar::<_, UserId>("SELECT id FROM users WHERE username = $1")
360	370		.bind(username)
			@@ -432,6 +442,9 @@ impl TestHarness {
432	442		resp.status,
433	443		resp.text
434	444		);
	445	+
	446	+	// Login rotates the CSRF token — fetch the new one
	447	+	self.client.fetch_csrf_token().await;
435	448		}
436	449
437	450		/// Create a test creator: signup, grant creator access, re-login.

M server/tests/harness/stripe.rs +12

			@@ -155,4 +155,16 @@ impl PaymentProvider for MockPaymentProvider {
155	155		serde_json::from_str(payload)
156	156		.map_err(\|e\| AppError::BadRequest(format!("Invalid payload: {}", e)))
157	157		}
	158	+
	159	+	async fn pause_subscription(&self, _stripe_sub_id: &str, _connected_account_id: &str) -> Result<()> {
	160	+	Ok(())
	161	+	}
	162	+
	163	+	async fn resume_subscription(&self, _stripe_sub_id: &str, _connected_account_id: &str) -> Result<()> {
	164	+	Ok(())
	165	+	}
	166	+
	167	+	async fn cancel_subscription(&self, _stripe_sub_id: &str, _connected_account_id: &str) -> Result<()> {
	168	+	Ok(())
	169	+	}
158	170		}

M server/tests/load/runner.rs +1

			@@ -75,6 +75,7 @@ pub async fn run(config: LoadConfig) {
75	75		postmark_inbound_webhook_token: None,
76	76		internal_shared_secret: None,
77	77		cli_service_token: None,
	78	+	wam_url: None,
78	79		};
79	80
80	81		let email = EmailClient::new(EmailConfig {

M server/tests/workflows/builds.rs +5 -2

			@@ -42,11 +42,14 @@ struct BuildResponse {
42	42		/// Insert a sync app directly via SQL.
43	43		async fn create_sync_app(pool: &PgPool, user_id: UserId) -> (SyncAppId, String) {
44	44		let api_key = format!("test-build-key-{}", uuid::Uuid::new_v4());
	45	+	let key_hash = crate::harness::hash_api_key(&api_key);
	46	+	let key_prefix = &api_key[..8];
45	47		let app_id: SyncAppId = sqlx::query_scalar(
46		-	"INSERT INTO sync_apps (creator_id, name, api_key) VALUES ($1, 'Build App', $2) RETURNING id",
	48	+	"INSERT INTO sync_apps (creator_id, name, api_key_hash, api_key_prefix) VALUES ($1, 'Build App', $2, $3) RETURNING id",
47	49		)
48	50		.bind(user_id)
49		-	.bind(&api_key)
	51	+	.bind(&key_hash)
	52	+	.bind(key_prefix)
50	53		.fetch_one(pool)
51	54		.await
52	55		.expect("Failed to create sync app");

M server/tests/workflows/exports.rs +2 -2

			@@ -176,7 +176,7 @@ async fn export_followers_csv() {
176	176		let disposition = resp.header("content-disposition").expect("should have Content-Disposition");
177	177		assert!(disposition.contains("makenot-work-followers.csv"));
178	178
179		-	assert!(resp.text.starts_with("Section,Username,Display Name,Type,Status,Since"), "CSV should have correct header");
	179	+	assert!(resp.text.starts_with("Section,Username,Display Name,Email,Type,Status,Since"), "CSV should have correct header");
180	180		assert!(resp.text.contains("Follower"), "CSV should contain follower rows");
181	181		}
182	182
			@@ -205,5 +205,5 @@ async fn export_empty_returns_valid_response() {
205	205		h.client.set_forwarded_ip("10.0.0.99");
206	206		let resp = h.client.post_form("/api/export/followers", "").await;
207	207		assert!(resp.status.is_success(), "Empty followers export failed: {} {}", resp.status, resp.text);
208		-	assert!(resp.text.starts_with("Section,Username"), "Should have CSV header even when empty");
	208	+	assert!(resp.text.starts_with("Section,Username,Display Name,Email"), "Should have CSV header even when empty");
209	209		}

M server/tests/workflows/mock_payment_flows.rs -4

			@@ -110,8 +110,6 @@ async fn checkout_creates_session_and_webhook_completes_purchase() {
110	110		assert_eq!(checkouts.len(), 1, "Expected 1 checkout session, got {}", checkouts.len());
111	111
112	112		// Simulate Stripe webhook completing the purchase
113		-	let session_id = &checkouts[0].id;
114		-
115	113		// Find the pending transaction the checkout handler created
116	114		let pending_tx: Option<(String,)> = sqlx::query_as(
117	115		"SELECT stripe_checkout_session_id FROM transactions WHERE buyer_id = $1 AND status = 'pending'",
			@@ -213,8 +211,6 @@ async fn purchase_webhook_sends_emails() {
213	211
214	212		// Assert emails were sent
215	213		let mock_email = h.mock_email.as_ref().unwrap();
216		-	let sent = mock_email.sent();
217		-
218	214		let buyer_emails = mock_email.sent_to("emailbuyer@test.com");
219	215		assert!(
220	216		buyer_emails.iter().any(\|e\| e.subject.contains("purchase") \|\| e.subject.contains("Purchase")),

M server/tests/workflows/oauth.rs +5 -2

			@@ -22,11 +22,14 @@ struct TokenResponse {
22	22		/// Insert a sync app directly via SQL and return (app_id, api_key).
23	23		async fn create_sync_app(pool: &PgPool, user_id: UserId) -> (SyncAppId, String) {
24	24		let api_key = "test-oauth-client-id";
	25	+	let key_hash = crate::harness::hash_api_key(api_key);
	26	+	let key_prefix = &api_key[..8];
25	27		let app_id: SyncAppId = sqlx::query_scalar(
26		-	"INSERT INTO sync_apps (creator_id, name, api_key) VALUES ($1, 'OAuth Test App', $2) RETURNING id",
	28	+	"INSERT INTO sync_apps (creator_id, name, api_key_hash, api_key_prefix) VALUES ($1, 'OAuth Test App', $2, $3) RETURNING id",
27	29		)
28	30		.bind(user_id)
29		-	.bind(api_key)
	31	+	.bind(&key_hash)
	32	+	.bind(key_prefix)
30	33		.fetch_one(pool)
31	34		.await
32	35		.expect("Failed to create sync app");

M server/tests/workflows/ota.rs +15 -6

			@@ -45,12 +45,15 @@ async fn create_sync_app_with_slug(
45	45		slug: &str,
46	46		) -> (SyncAppId, String) {
47	47		let api_key = format!("test-ota-key-{}", slug);
	48	+	let key_hash = crate::harness::hash_api_key(&api_key);
	49	+	let key_prefix = &api_key[..8];
48	50		let app_id: SyncAppId = sqlx::query_scalar(
49		-	"INSERT INTO sync_apps (creator_id, name, api_key, slug) VALUES ($1, $2, $3, $4) RETURNING id",
	51	+	"INSERT INTO sync_apps (creator_id, name, api_key_hash, api_key_prefix, slug) VALUES ($1, $2, $3, $4, $5) RETURNING id",
50	52		)
51	53		.bind(user_id)
52	54		.bind(format!("OTA App {}", slug))
53		-	.bind(&api_key)
	55	+	.bind(&key_hash)
	56	+	.bind(key_prefix)
54	57		.bind(slug)
55	58		.fetch_one(pool)
56	59		.await
			@@ -62,11 +65,14 @@ async fn create_sync_app_with_slug(
62	65		/// Insert a sync app without a slug.
63	66		async fn create_sync_app(pool: &PgPool, user_id: UserId) -> (SyncAppId, String) {
64	67		let api_key = format!("test-ota-key-{}", uuid::Uuid::new_v4());
	68	+	let key_hash = crate::harness::hash_api_key(&api_key);
	69	+	let key_prefix = &api_key[..8];
65	70		let app_id: SyncAppId = sqlx::query_scalar(
66		-	"INSERT INTO sync_apps (creator_id, name, api_key) VALUES ($1, 'OTA App', $2) RETURNING id",
	71	+	"INSERT INTO sync_apps (creator_id, name, api_key_hash, api_key_prefix) VALUES ($1, 'OTA App', $2, $3) RETURNING id",
67	72		)
68	73		.bind(user_id)
69		-	.bind(&api_key)
	74	+	.bind(&key_hash)
	75	+	.bind(key_prefix)
70	76		.fetch_one(pool)
71	77		.await
72	78		.expect("Failed to create sync app");
			@@ -220,11 +226,14 @@ async fn slug_uniqueness() {
220	226
221	227		// Create a second app and try the same slug
222	228		let api_key2 = "test-ota-key-second";
	229	+	let key_hash2 = crate::harness::hash_api_key(api_key2);
	230	+	let key_prefix2 = &api_key2[..8];
223	231		let app2_id: SyncAppId = sqlx::query_scalar(
224		-	"INSERT INTO sync_apps (creator_id, name, api_key) VALUES ($1, 'Second', $2) RETURNING id",
	232	+	"INSERT INTO sync_apps (creator_id, name, api_key_hash, api_key_prefix) VALUES ($1, 'Second', $2, $3) RETURNING id",
225	233		)
226	234		.bind(user_id)
227		-	.bind(api_key2)
	235	+	.bind(&key_hash2)
	236	+	.bind(key_prefix2)
228	237		.fetch_one(&h.db)
229	238		.await
230	239		.unwrap();

M server/tests/workflows/subscriptions.rs +10

			@@ -63,6 +63,10 @@ async fn subscription_tier_lifecycle() {
63	63		);
64	64
65	65		// ── Validation: valid input but no Stripe returns 400 ──
	66	+	// NOTE: The create_tier handler inserts the tier into the DB before
	67	+	// attempting Stripe product creation. When Stripe is not configured the
	68	+	// Stripe step fails with 400, but the tier row already exists. We clean
	69	+	// it up here so the rest of the test starts from a known state.
66	70		let resp = h
67	71		.client
68	72		.post_json(
			@@ -79,6 +83,12 @@ async fn subscription_tier_lifecycle() {
79	83		resp.text.contains("Stripe"),
80	84		"Error message should mention Stripe"
81	85		);
	86	+	// Clean up the orphaned tier row left by the failed Stripe step
	87	+	sqlx::query("DELETE FROM subscription_tiers WHERE project_id = $1")
	88	+	.bind(project_uuid)
	89	+	.execute(&h.db)
	90	+	.await
	91	+	.expect("clean up orphaned tier");
82	92
83	93		// ── Insert tier directly via SQL (bypassing Stripe) ──
84	94		let tier_id = sqlx::query_scalar::<_, uuid::Uuid>(

M server/tests/workflows/synckit.rs +5 -2

			@@ -60,11 +60,14 @@ struct KeyResponse {
60	60		/// Insert a sync app directly via SQL and return (app_id, api_key).
61	61		async fn create_sync_app_for_user(pool: &PgPool, user_id: UserId) -> (SyncAppId, String) {
62	62		let api_key = "test-api-key-for-synckit-integration";
	63	+	let key_hash = crate::harness::hash_api_key(api_key);
	64	+	let key_prefix = &api_key[..8];
63	65		let app_id: SyncAppId = sqlx::query_scalar(
64		-	"INSERT INTO sync_apps (creator_id, name, api_key) VALUES ($1, 'Test App', $2) RETURNING id",
	66	+	"INSERT INTO sync_apps (creator_id, name, api_key_hash, api_key_prefix) VALUES ($1, 'Test App', $2, $3) RETURNING id",
65	67		)
66	68		.bind(user_id)
67		-	.bind(api_key)
	69	+	.bind(&key_hash)
	70	+	.bind(key_prefix)
68	71		.fetch_one(pool)
69	72		.await
70	73		.expect("Failed to create sync app");

M server/tests/workflows/synckit_selective.rs +5 -2

			@@ -48,11 +48,14 @@ struct PullChange {
48	48
49	49		async fn create_sync_app_for_user(pool: &PgPool, user_id: UserId) -> (SyncAppId, String) {
50	50		let api_key = "test-selective-api-key";
	51	+	let key_hash = crate::harness::hash_api_key(api_key);
	52	+	let key_prefix = &api_key[..8];
51	53		let app_id: SyncAppId = sqlx::query_scalar(
52		-	"INSERT INTO sync_apps (creator_id, name, api_key) VALUES ($1, 'Selective Test', $2) RETURNING id",
	54	+	"INSERT INTO sync_apps (creator_id, name, api_key_hash, api_key_prefix) VALUES ($1, 'Selective Test', $2, $3) RETURNING id",
53	55		)
54	56		.bind(user_id)
55		-	.bind(api_key)
	57	+	.bind(&key_hash)
	58	+	.bind(key_prefix)
56	59		.fetch_one(pool)
57	60		.await
58	61		.expect("Failed to create sync app");

M server/tests/workflows/synckit_sse.rs +5 -2

			@@ -31,11 +31,14 @@ struct DeviceResponse {
31	31
32	32		async fn create_sync_app_for_user(pool: &PgPool, user_id: UserId) -> (SyncAppId, String) {
33	33		let api_key = "test-sse-api-key";
	34	+	let key_hash = crate::harness::hash_api_key(api_key);
	35	+	let key_prefix = &api_key[..8];
34	36		let app_id: SyncAppId = sqlx::query_scalar(
35		-	"INSERT INTO sync_apps (creator_id, name, api_key) VALUES ($1, 'SSE Test App', $2) RETURNING id",
	37	+	"INSERT INTO sync_apps (creator_id, name, api_key_hash, api_key_prefix) VALUES ($1, 'SSE Test App', $2, $3) RETURNING id",
36	38		)
37	39		.bind(user_id)
38		-	.bind(api_key)
	40	+	.bind(&key_hash)
	41	+	.bind(key_prefix)
39	42		.fetch_one(pool)
40	43		.await
41	44		.expect("Failed to create sync app");

M server/tests/workflows/tier_enforcement.rs +6 -11

			@@ -224,15 +224,10 @@ async fn per_file_limit_enforced() {
224	224		let (user_id, _, item_id) = setup_creator_with_item(&mut h, "bigfile").await;
225	225		give_subscription(&h, user_id, "small_files").await;
226	226
227		-	// SmallFiles max is 500 MB. Upload a file, then set its stored size > 500 MB in S3.
228		-	// The confirm handler reads S3 object_size, so we put 600 MB of data.
229		-	// That's too big for test memory, so instead: artificially set a large storage used
230		-	// close to the cap and test that a small file fails.
231		-	//
232		-	// The per-file limit is checked by comparing file_size from S3 object_size against
233		-	// tier.max_file_bytes(). Since we can't fake S3 object_size to be >500MB in memory,
234		-	// we test the storage cap enforcement path instead.
235		-	let near_cap = 10 * 1024 * 1024 * 1024_i64 - 100; // 10GB - 100 bytes (SmallFiles cap)
	227	+	// SmallFiles max is 500 MB per-file. We can't fake S3 object_size to
	228	+	// be >500MB in memory, so we test the storage cap enforcement path instead.
	229	+	// SmallFiles storage cap is 250 GB.
	230	+	let near_cap = 250 * 1024 * 1024 * 1024_i64 - 100; // 250GB - 100 bytes (SmallFiles cap)
236	231		set_storage_used(&h, user_id, near_cap).await;
237	232
238	233		let file_bytes = vec![0u8; 1024]; // 1 KB — within per-file limit but exceeds cap
			@@ -248,8 +243,8 @@ async fn storage_cap_enforced() {
248	243		let (user_id, _, item_id) = setup_creator_with_item(&mut h, "capenf").await;
249	244		give_subscription(&h, user_id, "small_files").await;
250	245
251		-	// SmallFiles cap is 10 GB. Set usage to just under cap.
252		-	let near_cap = 10 * 1024 * 1024 * 1024_i64 - 1;
	246	+	// SmallFiles cap is 250 GB. Set usage to just under cap.
	247	+	let near_cap = 250 * 1024 * 1024 * 1024_i64 - 1;
253	248		set_storage_used(&h, user_id, near_cap).await;
254	249
255	250		let file_bytes = vec![0u8; 2048]; // 2 KB — pushes over the cap

M server/tests/workflows/totp.rs +9 -1

			@@ -142,9 +142,17 @@ async fn totp_setup_and_confirm() {
142	142		#[tokio::test]
143	143		async fn totp_login_requires_2fa() {
144	144		let mut h = TestHarness::new().await;
145		-	h.signup("totp2", "totp2@test.com", "Password1!").await;
	145	+	let uid = h.signup("totp2", "totp2@test.com", "Password1!").await;
146	146		let (secret, _) = setup_and_enable_totp(&mut h, "totp2@test.com").await;
147	147
	148	+	// Reset the anti-replay counter so the login TOTP code (same 30s window)
	149	+	// is not rejected as a replay of the confirm step.
	150	+	sqlx::query("UPDATE users SET totp_last_used_step = 0 WHERE id = $1")
	151	+	.bind(uid)
	152	+	.execute(&h.db)
	153	+	.await
	154	+	.expect("reset totp_last_used_step");
	155	+
148	156		// Logout
149	157		h.client.post_form("/logout", "").await;
150	158