Add a 4-layer test stack covering RLS, triggers, and UI flows for Fases 0–2a, then restructure every plan file so future fases start with tests and end with a verification gate. Test suite - packages/test-utils: Vitest integration tests signing HS256 JWTs via jose so each test acts as a specific seed user (createClientAs + createAdminClient) - supabase/tests: pgTAP for accept_invitation(), item_frequency trigger, and promote-on-admin-leave; each file self-installs pgtap extension - apps/web/tests: Playwright E2E with live Keycloak login per test (storageState caching doesn't rehydrate Supabase's session state reliably) - just test-all chains the three suites; test-db forwards POSTGRES_PASSWORD as PGPASSWORD with ON_ERROR_STOP=1 so failures abort the chain Supabase auth gotcha - PostgREST queries inside onAuthStateChange deadlock on GoTrue's navigator.locks auth lock (getAccessToken → getSession → initializePromise waits on the same lock that's held during event dispatch). Fix is two defenses: a pass-through lock in $lib/supabase, and a setTimeout(0) defer in root +layout.svelte to push loadUserCollectives out of the callback's microtask chain. Either alone is insufficient; both together unblock the Playwright suite. Env key rotation - apps/web/.env.development had a stale demo anon key signed with a different secret than root .env; Vite inlined that into the browser bundle so Kong (which uses the root .env value) rejected every request with 401. Aligned the two files and added a memory entry to flag this for the next rotation. Plan restructure (TDD) - Every fase now opens with X.0 Tests primero and closes with X.Z Verificación final. Completed fases (0, 1, 2a) show the pattern retroactively with the tests that currently cover them; pending fases (2b, 3, 4) list the tests to write before implementation. Docs - CLAUDE.md status line reports 54 + 12 + 15 = 81 green tests, adds gotchas #11 (auth-lock deadlock) and #12 (no storageState caching) - README.md adds a TDD methodology section and the test-all command - .gitignore excludes Playwright's generated reports and auth state 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
176 lines
5.3 KiB
TypeScript
176 lines
5.3 KiB
TypeScript
/**
|
|
* E-series: item_frequency RLS — read-only for members, trigger-only writes.
|
|
* The table is populated exclusively by fn_record_item_frequency (SECURITY DEFINER trigger).
|
|
* All direct INSERT/UPDATE/DELETE must be denied.
|
|
*/
|
|
import { describe, it, expect, afterAll } from 'vitest';
|
|
import { createClientAs, createAdminClient } from '../src/supabase-clients.js';
|
|
import { ANA_ID, BORJA_ID, DAVID_ID, EVA_ID, COLLECTIVE_ID } from '../src/seed-constants.js';
|
|
|
|
const admin = createAdminClient();
|
|
|
|
describe('item_frequency read access', () => {
|
|
it('E-01: member (Borja) can read frequency suggestions', async () => {
|
|
const borja = await createClientAs(BORJA_ID);
|
|
const { data, error } = await borja
|
|
.from('item_frequency')
|
|
.select('name, use_count')
|
|
.eq('collective_id', COLLECTIVE_ID)
|
|
.order('use_count', { ascending: false })
|
|
.limit(5);
|
|
expect(error).toBeNull();
|
|
expect(data!.length).toBeGreaterThanOrEqual(1);
|
|
});
|
|
|
|
it('E-02: guest (David) can read frequency suggestions', async () => {
|
|
const david = await createClientAs(DAVID_ID);
|
|
const { data, error } = await david
|
|
.from('item_frequency')
|
|
.select('name')
|
|
.eq('collective_id', COLLECTIVE_ID);
|
|
expect(error).toBeNull();
|
|
expect(data!.length).toBeGreaterThanOrEqual(1);
|
|
});
|
|
|
|
it('E-03: Eva (non-member) sees no frequency data', async () => {
|
|
const eva = await createClientAs(EVA_ID);
|
|
const { data } = await eva
|
|
.from('item_frequency')
|
|
.select('name')
|
|
.eq('collective_id', COLLECTIVE_ID);
|
|
expect(data).toHaveLength(0);
|
|
});
|
|
|
|
it('E-04: prefix filter returns matching suggestions', async () => {
|
|
const borja = await createClientAs(BORJA_ID);
|
|
const { data, error } = await borja
|
|
.from('item_frequency')
|
|
.select('name')
|
|
.eq('collective_id', COLLECTIVE_ID)
|
|
.ilike('name', 'mi%');
|
|
expect(error).toBeNull();
|
|
// "milk" matches "mi%"
|
|
expect(data!.some((row) => row.name === 'milk')).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('item_frequency write protection', () => {
|
|
it('E-05: member (Borja) cannot INSERT directly into item_frequency', async () => {
|
|
const borja = await createClientAs(BORJA_ID);
|
|
const { data, error } = await borja
|
|
.from('item_frequency')
|
|
.insert({ collective_id: COLLECTIVE_ID, name: 'hacked item', use_count: 999 })
|
|
.select()
|
|
.single();
|
|
expect(data).toBeNull();
|
|
expect(error).not.toBeNull();
|
|
});
|
|
|
|
it('E-06: admin (Ana) cannot UPDATE item_frequency directly', async () => {
|
|
const ana = await createClientAs(ANA_ID);
|
|
await ana
|
|
.from('item_frequency')
|
|
.update({ use_count: 999 })
|
|
.eq('collective_id', COLLECTIVE_ID)
|
|
.eq('name', 'milk');
|
|
// Verify count was not changed
|
|
const { data } = await admin
|
|
.from('item_frequency')
|
|
.select('use_count')
|
|
.eq('collective_id', COLLECTIVE_ID)
|
|
.eq('name', 'milk')
|
|
.single();
|
|
expect(data?.use_count).not.toBe(999);
|
|
});
|
|
|
|
it('E-07: member cannot DELETE from item_frequency', async () => {
|
|
const borja = await createClientAs(BORJA_ID);
|
|
await borja
|
|
.from('item_frequency')
|
|
.delete()
|
|
.eq('collective_id', COLLECTIVE_ID)
|
|
.eq('name', 'milk');
|
|
// Verify "milk" still exists
|
|
const { data } = await admin
|
|
.from('item_frequency')
|
|
.select('name')
|
|
.eq('collective_id', COLLECTIVE_ID)
|
|
.eq('name', 'milk')
|
|
.single();
|
|
expect(data?.name).toBe('milk');
|
|
});
|
|
});
|
|
|
|
describe('item_frequency trigger — populated via INSERT on shopping_items', () => {
|
|
let addedItemId: string;
|
|
const TEST_ITEM_NAME = 'trigger-test-item-unique';
|
|
let testListId: string;
|
|
|
|
// Create a temporary list for this test group
|
|
afterAll(async () => {
|
|
if (addedItemId) {
|
|
await admin.from('shopping_items').delete().eq('id', addedItemId);
|
|
}
|
|
if (testListId) {
|
|
await admin.from('shopping_lists').delete().eq('id', testListId);
|
|
}
|
|
// Clean up the frequency record
|
|
await admin
|
|
.from('item_frequency')
|
|
.delete()
|
|
.eq('collective_id', COLLECTIVE_ID)
|
|
.eq('name', TEST_ITEM_NAME.toLowerCase().trim());
|
|
});
|
|
|
|
it('E-08: adding an item increments item_frequency via trigger', async () => {
|
|
// Get a list to add to
|
|
const { data: lists } = await admin
|
|
.from('shopping_lists')
|
|
.select('id')
|
|
.eq('collective_id', COLLECTIVE_ID)
|
|
.is('deleted_at', null)
|
|
.limit(1);
|
|
|
|
// Use seed list or create one
|
|
const listId = lists?.[0]?.id;
|
|
if (!listId) {
|
|
const { data: newList } = await admin
|
|
.from('shopping_lists')
|
|
.insert({ collective_id: COLLECTIVE_ID, name: 'Trigger test list', created_by: ANA_ID })
|
|
.select('id')
|
|
.single();
|
|
testListId = newList!.id;
|
|
}
|
|
|
|
const useListId = listId ?? testListId;
|
|
|
|
// Check before count
|
|
const { data: before } = await admin
|
|
.from('item_frequency')
|
|
.select('use_count')
|
|
.eq('collective_id', COLLECTIVE_ID)
|
|
.eq('name', TEST_ITEM_NAME.toLowerCase())
|
|
.maybeSingle();
|
|
const beforeCount = before?.use_count ?? 0;
|
|
|
|
// Insert an item (trigger fires)
|
|
const ana = await createClientAs(ANA_ID);
|
|
const { data: item, error } = await ana
|
|
.from('shopping_items')
|
|
.insert({ list_id: useListId, name: TEST_ITEM_NAME, sort_order: 999, created_by: ANA_ID })
|
|
.select('id')
|
|
.single();
|
|
expect(error).toBeNull();
|
|
addedItemId = item!.id;
|
|
|
|
// Check after count
|
|
const { data: after } = await admin
|
|
.from('item_frequency')
|
|
.select('use_count')
|
|
.eq('collective_id', COLLECTIVE_ID)
|
|
.eq('name', TEST_ITEM_NAME.toLowerCase())
|
|
.single();
|
|
expect(after?.use_count).toBe(beforeCount + 1);
|
|
});
|
|
});
|