test: 补充 dev 接口负向流程断言

2026-04-25 13:23:32 +08:00
parent 7f2d3f7d0e
commit 813b9de07e
1 changed files with 185 additions and 0 deletions
@@ -50,6 +50,28 @@ def same_id(left, right):
    return str(left) == str(right)


+def body_text(body):
+    if not isinstance(body, dict):
+        return str(body)
+    if "_raw" in body:
+        return str(body["_raw"])
+    if "message" in body:
+        return str(body["message"])
+    if "_error" in body:
+        return str(body["_error"])
+    return json.dumps(body, ensure_ascii=False)
+
+
+def has_error_text(body, *parts):
+    text = body_text(body)
+    return all(part in text for part in parts)
+
+
+def report_rejected(name, status_code, body, expect_status=(400, 403, 500)):
+    report(name, status_code, body, expect_status=expect_status)
+    report_check(f"{name} returns error body", bool(body_text(body)), body)
+
+
 def pick_items(body):
    if isinstance(body.get("items"), list):
        return body["items"]
@@ -572,6 +594,20 @@ def phase3_admin_and_verification(
        body,
    )

+    code, body, _ = s_reject.post(
+        f"{GATEWAY}/api/v1/users/me/switch-role",
+        json_body={"role": "owner"},
+        headers=csrf_reject,
+    )
+    report_rejected("POST /users/me/switch-role (rejected owner)", code, body)
+    code, body, _ = s_reject.get(f"{GATEWAY}/api/v1/users/me")
+    report("GET /users/me (after rejected owner switch)", code, body)
+    report_check(
+        "rejected owner switch does not change current role",
+        body.get("role") == "consumer",
+        body,
+    )
+
    code, body, _ = s_user.get(f"{GATEWAY}/api/v1/users/me")
    report("GET /users/me (after approval)", code, body)
    verified_roles = body.get("verifiedRoles") or []
@@ -1094,6 +1130,40 @@ def phase7_shop(
                body,
            )

+            code, body, _ = s_invited_player.post(
+                f"{GATEWAY}/api/v1/shops/{shop_id}/invitations",
+                json_body={"playerId": invited_player_id},
+                headers=s_invited_player.csrf_headers(),
+            )
+            report_rejected(
+                f"POST /shops/{shop_id}/invitations (non-owner)",
+                code,
+                body,
+            )
+
+            if invitation_id:
+                code, body, _ = s_owner.post(
+                    f"{GATEWAY}/api/v1/shops/invitations/{invitation_id}/accept",
+                    json_body={},
+                    headers=csrf,
+                )
+                report_rejected(
+                    f"POST /shops/invitations/{invitation_id}/accept (wrong player)",
+                    code,
+                    body,
+                )
+                code, body, _ = s_owner.get(
+                    f"{GATEWAY}/api/v1/shops/{shop_id}/invitations",
+                )
+                report(f"GET /shops/{shop_id}/invitations (after wrong accept)", code, body)
+                pending_invitation = find_item_by_id(pick_items(body), invitation_id)
+                report_check(
+                    "wrong invitation accept keeps status pending",
+                    bool(pending_invitation)
+                    and pending_invitation.get("status") == "pending",
+                    body,
+                )
+
            s_invited_player.post(
                f"{GATEWAY}/api/v1/users/me/switch-role",
                json_body={"role": "player"},
@@ -1272,6 +1342,22 @@ def phase8_order(s_consumer: Session, s_actor: Session, player_id, service_id, s
            body,
        )

+        code, body, _ = s_actor.post(
+            f"{GATEWAY}/api/v1/orders/{order_id}/accept",
+            json_body={},
+            headers=s_actor.csrf_headers(),
+        )
+        report_rejected(f"POST /orders/{order_id}/accept (before pay)", code, body)
+        check_order_status(s_consumer, order_id, "pending_payment", "after early accept")
+
+        code, body, _ = s_consumer.post(
+            f"{GATEWAY}/api/v1/orders/{order_id}/confirm-close",
+            json_body={},
+            headers=csrf,
+        )
+        report_rejected(f"POST /orders/{order_id}/confirm-close (before close request)", code, body)
+        check_order_status(s_consumer, order_id, "pending_payment", "after early confirm-close")
+
        code, body, _ = s_consumer.post(
            f"{GATEWAY}/api/v1/orders/{order_id}/pay",
            json_body={},
@@ -1280,6 +1366,22 @@ def phase8_order(s_consumer: Session, s_actor: Session, player_id, service_id, s
        report(f"POST /orders/{order_id}/pay", code, body)
        check_order_status(s_consumer, order_id, "pending_accept", "after pay")

+        code, body, _ = s_actor.post(
+            f"{GATEWAY}/api/v1/orders/{order_id}/request-close",
+            json_body={},
+            headers=s_actor.csrf_headers(),
+        )
+        report_rejected(f"POST /orders/{order_id}/request-close (before accept)", code, body)
+        check_order_status(s_consumer, order_id, "pending_accept", "after early request-close")
+
+        code, body, _ = s_consumer.post(
+            f"{GATEWAY}/api/v1/orders/{order_id}/pay",
+            json_body={},
+            headers=csrf,
+        )
+        report_rejected(f"POST /orders/{order_id}/pay (second time)", code, body)
+        check_order_status(s_consumer, order_id, "pending_accept", "after duplicate pay")
+
        code, body, _ = s_actor.post(
            f"{GATEWAY}/api/v1/orders/{order_id}/accept",
            json_body={},
@@ -1289,6 +1391,14 @@ def phase8_order(s_consumer: Session, s_actor: Session, player_id, service_id, s
        body = check_order_status(s_consumer, order_id, "in_progress", "after accept")
        report_check("accepted order has acceptedAt", bool(body.get("acceptedAt")), body)

+        code, body, _ = s_consumer.post(
+            f"{GATEWAY}/api/v1/orders/{order_id}/confirm-close",
+            json_body={},
+            headers=csrf,
+        )
+        report_rejected(f"POST /orders/{order_id}/confirm-close (before request-close)", code, body)
+        check_order_status(s_consumer, order_id, "in_progress", "after early confirm-close")
+
        code, body, _ = s_actor.post(
            f"{GATEWAY}/api/v1/orders/{order_id}/request-close",
            json_body={},
@@ -1322,6 +1432,15 @@ def phase8_order(s_consumer: Session, s_actor: Session, player_id, service_id, s
        body,
    )

+    if order2_id:
+        code, body, _ = s_consumer.post(
+            f"{GATEWAY}/api/v1/orders/{order2_id}/review",
+            json_body={"rating": 5, "content": "too early"},
+            headers=csrf,
+        )
+        report_rejected(f"POST /orders/{order2_id}/review (before completion)", code, body)
+        check_order_status(s_consumer, order2_id, "pending_payment", "after early review")
+
    if order_id:
        code, body, _ = s_consumer.post(
            f"{GATEWAY}/api/v1/orders/{order_id}/reorder",
@@ -1356,6 +1475,14 @@ def phase8_order(s_consumer: Session, s_actor: Session, player_id, service_id, s
        report(f"POST /orders/{order2_id}/cancel", code, body)
        check_order_status(s_consumer, order2_id, "cancelled", "second order after cancel")

+        code, body, _ = s_consumer.post(
+            f"{GATEWAY}/api/v1/orders/{order2_id}/pay",
+            json_body={},
+            headers=csrf,
+        )
+        report_rejected(f"POST /orders/{order2_id}/pay (after cancel)", code, body)
+        check_order_status(s_consumer, order2_id, "cancelled", "after cancelled pay")
+
    code, body, _ = s_consumer.post(
        f"{GATEWAY}/api/v1/orders/paid",
        json_body={
@@ -1693,6 +1820,26 @@ def phase8e_search_and_favorites(s: Session, user_id, player_id, shop_id):
        skip("Favorites mutation flow", "Missing user or player id")
        return

+    code, body, _ = s.post(
+        f"{GATEWAY}/api/v1/favorites",
+        json_body={"targetType": "player", "targetId": "not-a-snowflake"},
+        headers=s.csrf_headers(),
+    )
+    report_rejected("POST /favorites (invalid targetId)", code, body)
+    code, body, _ = s.get(f"{GATEWAY}/api/v1/favorites")
+    report("GET /favorites (after invalid targetId)", code, body)
+    report_check(
+        "invalid favorite target is absent",
+        not bool(
+            find_item(
+                pick_items(body),
+                lambda item: item.get("targetType") == "player"
+                and same_id(item.get("targetId"), "not-a-snowflake"),
+            )
+        ),
+        body,
+    )
+
    code, body, _ = s.post(
        f"{GATEWAY}/api/v1/favorites",
        json_body={"targetType": "player", "targetId": str(player_id)},
@@ -1797,6 +1944,35 @@ def phase9_wallet(s: Session):
        body,
    )

+    code, body, _ = s.post(
+        f"{GATEWAY}/api/v1/wallet/withdraw",
+        json_body={"amount": "0", "method": "alipay"},
+        headers=csrf,
+    )
+    report_rejected("POST /wallet/withdraw (zero amount)", code, body)
+    code, body, _ = s.get(f"{GATEWAY}/api/v1/wallet/balance")
+    report("GET /wallet/balance (after zero withdraw)", code, body)
+    report_check(
+        "zero withdraw keeps balance unchanged",
+        as_decimal(body.get("balance")) == initial_balance,
+        body,
+    )
+
+    excessive_amount = initial_balance + Decimal("999999")
+    code, body, _ = s.post(
+        f"{GATEWAY}/api/v1/wallet/withdraw",
+        json_body={"amount": str(excessive_amount), "method": "alipay"},
+        headers=csrf,
+    )
+    report_rejected("POST /wallet/withdraw (insufficient balance)", code, body)
+    code, body, _ = s.get(f"{GATEWAY}/api/v1/wallet/balance")
+    report("GET /wallet/balance (after insufficient withdraw)", code, body)
+    report_check(
+        "insufficient withdraw keeps balance unchanged",
+        as_decimal(body.get("balance")) == initial_balance,
+        body,
+    )
+
    code, body, _ = s.post(
        f"{GATEWAY}/api/v1/wallet/topup",
        json_body={"amount": "100.00", "method": "alipay"},
@@ -2013,6 +2189,15 @@ def phase10_community(s: Session, user_id):
 def phase11_objectstory(s: Session):
    print("\n=== Phase 11: Objectstory (File) ===")

+    code, body, _ = s.post_multipart(
+        f"{GATEWAY}/api/v1/upload",
+        fields={"type": "post"},
+        files={"file": (f"empty-{rand_str(4)}.txt", b"", "text/plain")},
+        headers=s.csrf_headers(),
+    )
+    report_rejected("POST /upload (empty file)", code, body)
+    report_check("empty upload does not return url", not body.get("url"), body)
+
    code, body, _ = s.post_multipart(
        f"{GATEWAY}/api/v1/upload",
        fields={"type": "post"},