diff --git a/deploy/dev/test_all_apis.py b/deploy/dev/test_all_apis.py index cdc28b5..24d0ecc 100644 --- a/deploy/dev/test_all_apis.py +++ b/deploy/dev/test_all_apis.py @@ -50,6 +50,28 @@ def same_id(left, right): return str(left) == str(right) +def body_text(body): + if not isinstance(body, dict): + return str(body) + if "_raw" in body: + return str(body["_raw"]) + if "message" in body: + return str(body["message"]) + if "_error" in body: + return str(body["_error"]) + return json.dumps(body, ensure_ascii=False) + + +def has_error_text(body, *parts): + text = body_text(body) + return all(part in text for part in parts) + + +def report_rejected(name, status_code, body, expect_status=(400, 403, 500)): + report(name, status_code, body, expect_status=expect_status) + report_check(f"{name} returns error body", bool(body_text(body)), body) + + def pick_items(body): if isinstance(body.get("items"), list): return body["items"] @@ -572,6 +594,20 @@ def phase3_admin_and_verification( body, ) + code, body, _ = s_reject.post( + f"{GATEWAY}/api/v1/users/me/switch-role", + json_body={"role": "owner"}, + headers=csrf_reject, + ) + report_rejected("POST /users/me/switch-role (rejected owner)", code, body) + code, body, _ = s_reject.get(f"{GATEWAY}/api/v1/users/me") + report("GET /users/me (after rejected owner switch)", code, body) + report_check( + "rejected owner switch does not change current role", + body.get("role") == "consumer", + body, + ) + code, body, _ = s_user.get(f"{GATEWAY}/api/v1/users/me") report("GET /users/me (after approval)", code, body) verified_roles = body.get("verifiedRoles") or [] @@ -1094,6 +1130,40 @@ def phase7_shop( body, ) + code, body, _ = s_invited_player.post( + f"{GATEWAY}/api/v1/shops/{shop_id}/invitations", + json_body={"playerId": invited_player_id}, + headers=s_invited_player.csrf_headers(), + ) + report_rejected( + f"POST /shops/{shop_id}/invitations (non-owner)", + code, + body, + ) + + if invitation_id: + code, body, _ = s_owner.post( + f"{GATEWAY}/api/v1/shops/invitations/{invitation_id}/accept", + json_body={}, + headers=csrf, + ) + report_rejected( + f"POST /shops/invitations/{invitation_id}/accept (wrong player)", + code, + body, + ) + code, body, _ = s_owner.get( + f"{GATEWAY}/api/v1/shops/{shop_id}/invitations", + ) + report(f"GET /shops/{shop_id}/invitations (after wrong accept)", code, body) + pending_invitation = find_item_by_id(pick_items(body), invitation_id) + report_check( + "wrong invitation accept keeps status pending", + bool(pending_invitation) + and pending_invitation.get("status") == "pending", + body, + ) + s_invited_player.post( f"{GATEWAY}/api/v1/users/me/switch-role", json_body={"role": "player"}, @@ -1272,6 +1342,22 @@ def phase8_order(s_consumer: Session, s_actor: Session, player_id, service_id, s body, ) + code, body, _ = s_actor.post( + f"{GATEWAY}/api/v1/orders/{order_id}/accept", + json_body={}, + headers=s_actor.csrf_headers(), + ) + report_rejected(f"POST /orders/{order_id}/accept (before pay)", code, body) + check_order_status(s_consumer, order_id, "pending_payment", "after early accept") + + code, body, _ = s_consumer.post( + f"{GATEWAY}/api/v1/orders/{order_id}/confirm-close", + json_body={}, + headers=csrf, + ) + report_rejected(f"POST /orders/{order_id}/confirm-close (before close request)", code, body) + check_order_status(s_consumer, order_id, "pending_payment", "after early confirm-close") + code, body, _ = s_consumer.post( f"{GATEWAY}/api/v1/orders/{order_id}/pay", json_body={}, @@ -1280,6 +1366,22 @@ def phase8_order(s_consumer: Session, s_actor: Session, player_id, service_id, s report(f"POST /orders/{order_id}/pay", code, body) check_order_status(s_consumer, order_id, "pending_accept", "after pay") + code, body, _ = s_actor.post( + f"{GATEWAY}/api/v1/orders/{order_id}/request-close", + json_body={}, + headers=s_actor.csrf_headers(), + ) + report_rejected(f"POST /orders/{order_id}/request-close (before accept)", code, body) + check_order_status(s_consumer, order_id, "pending_accept", "after early request-close") + + code, body, _ = s_consumer.post( + f"{GATEWAY}/api/v1/orders/{order_id}/pay", + json_body={}, + headers=csrf, + ) + report_rejected(f"POST /orders/{order_id}/pay (second time)", code, body) + check_order_status(s_consumer, order_id, "pending_accept", "after duplicate pay") + code, body, _ = s_actor.post( f"{GATEWAY}/api/v1/orders/{order_id}/accept", json_body={}, @@ -1289,6 +1391,14 @@ def phase8_order(s_consumer: Session, s_actor: Session, player_id, service_id, s body = check_order_status(s_consumer, order_id, "in_progress", "after accept") report_check("accepted order has acceptedAt", bool(body.get("acceptedAt")), body) + code, body, _ = s_consumer.post( + f"{GATEWAY}/api/v1/orders/{order_id}/confirm-close", + json_body={}, + headers=csrf, + ) + report_rejected(f"POST /orders/{order_id}/confirm-close (before request-close)", code, body) + check_order_status(s_consumer, order_id, "in_progress", "after early confirm-close") + code, body, _ = s_actor.post( f"{GATEWAY}/api/v1/orders/{order_id}/request-close", json_body={}, @@ -1322,6 +1432,15 @@ def phase8_order(s_consumer: Session, s_actor: Session, player_id, service_id, s body, ) + if order2_id: + code, body, _ = s_consumer.post( + f"{GATEWAY}/api/v1/orders/{order2_id}/review", + json_body={"rating": 5, "content": "too early"}, + headers=csrf, + ) + report_rejected(f"POST /orders/{order2_id}/review (before completion)", code, body) + check_order_status(s_consumer, order2_id, "pending_payment", "after early review") + if order_id: code, body, _ = s_consumer.post( f"{GATEWAY}/api/v1/orders/{order_id}/reorder", @@ -1356,6 +1475,14 @@ def phase8_order(s_consumer: Session, s_actor: Session, player_id, service_id, s report(f"POST /orders/{order2_id}/cancel", code, body) check_order_status(s_consumer, order2_id, "cancelled", "second order after cancel") + code, body, _ = s_consumer.post( + f"{GATEWAY}/api/v1/orders/{order2_id}/pay", + json_body={}, + headers=csrf, + ) + report_rejected(f"POST /orders/{order2_id}/pay (after cancel)", code, body) + check_order_status(s_consumer, order2_id, "cancelled", "after cancelled pay") + code, body, _ = s_consumer.post( f"{GATEWAY}/api/v1/orders/paid", json_body={ @@ -1693,6 +1820,26 @@ def phase8e_search_and_favorites(s: Session, user_id, player_id, shop_id): skip("Favorites mutation flow", "Missing user or player id") return + code, body, _ = s.post( + f"{GATEWAY}/api/v1/favorites", + json_body={"targetType": "player", "targetId": "not-a-snowflake"}, + headers=s.csrf_headers(), + ) + report_rejected("POST /favorites (invalid targetId)", code, body) + code, body, _ = s.get(f"{GATEWAY}/api/v1/favorites") + report("GET /favorites (after invalid targetId)", code, body) + report_check( + "invalid favorite target is absent", + not bool( + find_item( + pick_items(body), + lambda item: item.get("targetType") == "player" + and same_id(item.get("targetId"), "not-a-snowflake"), + ) + ), + body, + ) + code, body, _ = s.post( f"{GATEWAY}/api/v1/favorites", json_body={"targetType": "player", "targetId": str(player_id)}, @@ -1797,6 +1944,35 @@ def phase9_wallet(s: Session): body, ) + code, body, _ = s.post( + f"{GATEWAY}/api/v1/wallet/withdraw", + json_body={"amount": "0", "method": "alipay"}, + headers=csrf, + ) + report_rejected("POST /wallet/withdraw (zero amount)", code, body) + code, body, _ = s.get(f"{GATEWAY}/api/v1/wallet/balance") + report("GET /wallet/balance (after zero withdraw)", code, body) + report_check( + "zero withdraw keeps balance unchanged", + as_decimal(body.get("balance")) == initial_balance, + body, + ) + + excessive_amount = initial_balance + Decimal("999999") + code, body, _ = s.post( + f"{GATEWAY}/api/v1/wallet/withdraw", + json_body={"amount": str(excessive_amount), "method": "alipay"}, + headers=csrf, + ) + report_rejected("POST /wallet/withdraw (insufficient balance)", code, body) + code, body, _ = s.get(f"{GATEWAY}/api/v1/wallet/balance") + report("GET /wallet/balance (after insufficient withdraw)", code, body) + report_check( + "insufficient withdraw keeps balance unchanged", + as_decimal(body.get("balance")) == initial_balance, + body, + ) + code, body, _ = s.post( f"{GATEWAY}/api/v1/wallet/topup", json_body={"amount": "100.00", "method": "alipay"}, @@ -2013,6 +2189,15 @@ def phase10_community(s: Session, user_id): def phase11_objectstory(s: Session): print("\n=== Phase 11: Objectstory (File) ===") + code, body, _ = s.post_multipart( + f"{GATEWAY}/api/v1/upload", + fields={"type": "post"}, + files={"file": (f"empty-{rand_str(4)}.txt", b"", "text/plain")}, + headers=s.csrf_headers(), + ) + report_rejected("POST /upload (empty file)", code, body) + report_check("empty upload does not return url", not body.get("url"), body) + code, body, _ = s.post_multipart( f"{GATEWAY}/api/v1/upload", fields={"type": "post"},