Chatwoot/spec/controllers/api/v1/widget/contacts_controller_spec.rb

require 'rails_helper'

RSpec.describe '/api/v1/widget/contacts', type: :request do
  let(:account) { create(:account) }
  let(:web_widget) { create(:channel_widget, account: account) }
  let(:contact) { create(:contact, account: account, email: 'test@test.com', phone_number: '+745623239') }
  let(:contact_inbox) { create(:contact_inbox, contact: contact, inbox: web_widget.inbox) }
  let(:payload) { { source_id: contact_inbox.source_id, inbox_id: web_widget.inbox.id } }
  let(:token) { ::Widget::TokenService.new(payload: payload).generate_token }

  describe 'PATCH /api/v1/widget/contact' do
    let(:params) { { website_token: web_widget.website_token, identifier: 'test' } }

    context 'with invalid website token' do
      it 'returns unauthorized' do
        patch '/api/v1/widget/contact', params: { website_token: '' }
        expect(response).to have_http_status(:not_found)
      end
    end

    context 'with correct website token' do
      let(:identify_action) { double }

      before do
        allow(ContactIdentifyAction).to receive(:new).and_return(identify_action)
        allow(identify_action).to receive(:perform).and_return(contact)
      end

      it 'calls contact identify' do
        patch '/api/v1/widget/contact',
              params: params,
              headers: { 'X-Auth-Token' => token },
              as: :json

        expect(response).to have_http_status(:success)
        expected_params = { contact: contact, params: params, discard_invalid_attrs: true }
        expect(ContactIdentifyAction).to have_received(:new).with(expected_params)
        expect(identify_action).to have_received(:perform)
      end
    end

    context 'with update contact' do
      let(:params) { { website_token: web_widget.website_token } }

      it 'dont update phone number if invalid phone number passed' do
        patch '/api/v1/widget/contact',
              params: params.merge({ phone_number: '45623239' }),
              headers: { 'X-Auth-Token' => token },
              as: :json
        body = JSON.parse(response.body)
        expect(body['phone_number']).to eq('+745623239')
        expect(response).to have_http_status(:success)
      end

      it 'update phone number if valid phone number passed' do
        patch '/api/v1/widget/contact',
              params: params.merge({ phone_number: '+245623239' }),
              headers: { 'X-Auth-Token' => token },
              as: :json
        body = JSON.parse(response.body)
        expect(body['phone_number']).to eq('+245623239')
        expect(response).to have_http_status(:success)
      end

      it 'dont update email if invalid email passed' do
        patch '/api/v1/widget/contact',
              params: params.merge({ email: 'test@' }),
              headers: { 'X-Auth-Token' => token },
              as: :json
        body = JSON.parse(response.body)
        expect(body['email']).to eq('test@test.com')
        expect(response).to have_http_status(:success)
      end

      it 'update email if valid email passed' do
        patch '/api/v1/widget/contact',
              params: params.merge({ email: 'test-1@test.com' }),
              headers: { 'X-Auth-Token' => token },
              as: :json
        body = JSON.parse(response.body)
        expect(body['email']).to eq('test-1@test.com')
        expect(response).to have_http_status(:success)
      end
    end
  end

  describe 'PATCH /api/v1/widget/contact/set_user' do
    let(:params) { { website_token: web_widget.website_token, identifier: 'test' } }
    let(:web_widget) { create(:channel_widget, account: account, hmac_mandatory: true) }
    let(:correct_identifier_hash) { OpenSSL::HMAC.hexdigest('sha256', web_widget.hmac_token, params[:identifier].to_s) }
    let(:incorrect_identifier_hash) { 'test' }

    context 'when the current contact identifier is different from param identifier' do
      before do
        contact.update(identifier: 'random')
      end

      it 'return a new contact for the provided identifier' do
        patch '/api/v1/widget/contact/set_user',
              params: params.merge(identifier_hash: correct_identifier_hash),
              headers: { 'X-Auth-Token' => token },
              as: :json

        body = JSON.parse(response.body)
        expect(body['id']).not_to eq(contact.id)
        expect(body['widget_auth_token']).not_to be_nil
        expect(Contact.find(body['id']).contact_inboxes.first.hmac_verified?).to be(true)
      end
    end

    context 'with mandatory hmac' do
      let(:identify_action) { double }

      before do
        allow(ContactIdentifyAction).to receive(:new).and_return(identify_action)
        allow(identify_action).to receive(:perform).and_return(contact)
      end

      it 'returns success when correct identifier hash is provided' do
        patch '/api/v1/widget/contact/set_user',
              params: params.merge(identifier_hash: correct_identifier_hash),
              headers: { 'X-Auth-Token' => token },
              as: :json

        expect(response).to have_http_status(:success)
      end

      it 'returns error when incorrect identifier hash is provided' do
        patch '/api/v1/widget/contact/set_user',
              params: params.merge(identifier_hash: incorrect_identifier_hash),
              headers: { 'X-Auth-Token' => token },
              as: :json

        expect(response).to have_http_status(:unauthorized)
      end

      it 'returns error when identifier hash is blank' do
        patch '/api/v1/widget/contact/set_user',
              params: params.merge(identifier_hash: ''),
              headers: { 'X-Auth-Token' => token },
              as: :json

        expect(response).to have_http_status(:unauthorized)
      end

      it 'returns error when identifier hash is not provided' do
        patch '/api/v1/widget/contact/set_user',
              params: params,
              headers: { 'X-Auth-Token' => token },
              as: :json

        expect(response).to have_http_status(:unauthorized)
      end
    end
  end

  describe 'POST /api/v1/widget/destroy_custom_attributes' do
    let(:params) { { website_token: web_widget.website_token, identifier: 'test', custom_attributes: ['test'] } }

    context 'with invalid website token' do
      it 'returns unauthorized' do
        post '/api/v1/widget/destroy_custom_attributes', params: { website_token: '' }
        expect(response).to have_http_status(:not_found)
      end
    end

    context 'with correct website token' do
      it 'calls destroy custom attributes' do
        post '/api/v1/widget/destroy_custom_attributes',
             params: params,
             headers: { 'X-Auth-Token' => token },
             as: :json
        expect(contact.reload.custom_attributes).to eq({})
      end
    end
  end
end
Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`require 'rails_helper'`

			`RSpec.describe '/api/v1/widget/contacts', type: :request do`
			`let(:account) { create(:account) }`
			`let(:web_widget) { create(:channel_widget, account: account) }`
fix: Bypass invalid values in contact patch end point (#4519) 2022-04-25 06:55:38 +00:00			`let(:contact) { create(:contact, account: account, email: 'test@test.com', phone_number: '+745623239') }`
Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`let(:contact_inbox) { create(:contact_inbox, contact: contact, inbox: web_widget.inbox) }`
			`let(:payload) { { source_id: contact_inbox.source_id, inbox_id: web_widget.inbox.id } }`
			`let(:token) { ::Widget::TokenService.new(payload: payload).generate_token }`

			`describe 'PATCH /api/v1/widget/contact' do`
			`let(:params) { { website_token: web_widget.website_token, identifier: 'test' } }`

			`context 'with invalid website token' do`
			`it 'returns unauthorized' do`
			`patch '/api/v1/widget/contact', params: { website_token: '' }`
			`expect(response).to have_http_status(:not_found)`
			`end`
			`end`

			`context 'with correct website token' do`
			`let(:identify_action) { double }`

			`before do`
			`allow(ContactIdentifyAction).to receive(:new).and_return(identify_action)`
fix: Add fixes for sentry errors (#3522) - Add fixes for sentry errors 2021-12-09 06:20:28 +00:00			`allow(identify_action).to receive(:perform).and_return(contact)`
Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`end`

			`it 'calls contact identify' do`
			`patch '/api/v1/widget/contact',`
			`params: params,`
			`headers: { 'X-Auth-Token' => token },`
			`as: :json`

			`expect(response).to have_http_status(:success)`
chore: Fix contact model silently discarding invalid attributes (#4994) fixes: #4775 2022-07-08 08:28:09 +00:00			`expected_params = { contact: contact, params: params, discard_invalid_attrs: true }`
Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`expect(ContactIdentifyAction).to have_received(:new).with(expected_params)`
			`expect(identify_action).to have_received(:perform)`
			`end`
			`end`
fix: Ensure HMAC mandatory when enabled (#3350) Add missing condition checking if HMAC is mandatory. Fixes #3349 2021-11-11 04:18:38 +00:00
fix: Bypass invalid values in contact patch end point (#4519) 2022-04-25 06:55:38 +00:00			`context 'with update contact' do`
			`let(:params) { { website_token: web_widget.website_token } }`

			`it 'dont update phone number if invalid phone number passed' do`
			`patch '/api/v1/widget/contact',`
			`params: params.merge({ phone_number: '45623239' }),`
			`headers: { 'X-Auth-Token' => token },`
			`as: :json`
			`body = JSON.parse(response.body)`
			`expect(body['phone_number']).to eq('+745623239')`
			`expect(response).to have_http_status(:success)`
			`end`

			`it 'update phone number if valid phone number passed' do`
			`patch '/api/v1/widget/contact',`
			`params: params.merge({ phone_number: '+245623239' }),`
			`headers: { 'X-Auth-Token' => token },`
			`as: :json`
			`body = JSON.parse(response.body)`
			`expect(body['phone_number']).to eq('+245623239')`
			`expect(response).to have_http_status(:success)`
			`end`

			`it 'dont update email if invalid email passed' do`
			`patch '/api/v1/widget/contact',`
			`params: params.merge({ email: 'test@' }),`
			`headers: { 'X-Auth-Token' => token },`
			`as: :json`
			`body = JSON.parse(response.body)`
			`expect(body['email']).to eq('test@test.com')`
			`expect(response).to have_http_status(:success)`
			`end`

			`it 'update email if valid email passed' do`
			`patch '/api/v1/widget/contact',`
			`params: params.merge({ email: 'test-1@test.com' }),`
			`headers: { 'X-Auth-Token' => token },`
			`as: :json`
			`body = JSON.parse(response.body)`
			`expect(body['email']).to eq('test-1@test.com')`
			`expect(response).to have_http_status(:success)`
			`end`
			`end`
chore: Enhance contact merge action for identified users (#4886) - Discard conflicting keys - Do not merge if there is already an identified contact Co-authored-by: Pranav Raj S <pranav@chatwoot.com> 2022-06-23 10:18:56 +00:00			`end`

			`describe 'PATCH /api/v1/widget/contact/set_user' do`
			`let(:params) { { website_token: web_widget.website_token, identifier: 'test' } }`
			`let(:web_widget) { create(:channel_widget, account: account, hmac_mandatory: true) }`
			`let(:correct_identifier_hash) { OpenSSL::HMAC.hexdigest('sha256', web_widget.hmac_token, params[:identifier].to_s) }`
			`let(:incorrect_identifier_hash) { 'test' }`

			`context 'when the current contact identifier is different from param identifier' do`
			`before do`
			`contact.update(identifier: 'random')`
			`end`

			`it 'return a new contact for the provided identifier' do`
			`patch '/api/v1/widget/contact/set_user',`
			`params: params.merge(identifier_hash: correct_identifier_hash),`
			`headers: { 'X-Auth-Token' => token },`
			`as: :json`

			`body = JSON.parse(response.body)`
			`expect(body['id']).not_to eq(contact.id)`
chore: Update dependencies to the latest versions (#5033) 2022-07-15 02:51:59 +00:00			`expect(body['widget_auth_token']).not_to be_nil`
			`expect(Contact.find(body['id']).contact_inboxes.first.hmac_verified?).to be(true)`
chore: Enhance contact merge action for identified users (#4886) - Discard conflicting keys - Do not merge if there is already an identified contact Co-authored-by: Pranav Raj S <pranav@chatwoot.com> 2022-06-23 10:18:56 +00:00			`end`
			`end`
fix: Bypass invalid values in contact patch end point (#4519) 2022-04-25 06:55:38 +00:00
fix: Ensure HMAC mandatory when enabled (#3350) Add missing condition checking if HMAC is mandatory. Fixes #3349 2021-11-11 04:18:38 +00:00			`context 'with mandatory hmac' do`
			`let(:identify_action) { double }`

			`before do`
			`allow(ContactIdentifyAction).to receive(:new).and_return(identify_action)`
fix: Add fixes for sentry errors (#3522) - Add fixes for sentry errors 2021-12-09 06:20:28 +00:00			`allow(identify_action).to receive(:perform).and_return(contact)`
fix: Ensure HMAC mandatory when enabled (#3350) Add missing condition checking if HMAC is mandatory. Fixes #3349 2021-11-11 04:18:38 +00:00			`end`

			`it 'returns success when correct identifier hash is provided' do`
chore: Enhance contact merge action for identified users (#4886) - Discard conflicting keys - Do not merge if there is already an identified contact Co-authored-by: Pranav Raj S <pranav@chatwoot.com> 2022-06-23 10:18:56 +00:00			`patch '/api/v1/widget/contact/set_user',`
fix: Ensure HMAC mandatory when enabled (#3350) Add missing condition checking if HMAC is mandatory. Fixes #3349 2021-11-11 04:18:38 +00:00			`params: params.merge(identifier_hash: correct_identifier_hash),`
			`headers: { 'X-Auth-Token' => token },`
			`as: :json`

			`expect(response).to have_http_status(:success)`
			`end`

			`it 'returns error when incorrect identifier hash is provided' do`
chore: Enhance contact merge action for identified users (#4886) - Discard conflicting keys - Do not merge if there is already an identified contact Co-authored-by: Pranav Raj S <pranav@chatwoot.com> 2022-06-23 10:18:56 +00:00			`patch '/api/v1/widget/contact/set_user',`
fix: Ensure HMAC mandatory when enabled (#3350) Add missing condition checking if HMAC is mandatory. Fixes #3349 2021-11-11 04:18:38 +00:00			`params: params.merge(identifier_hash: incorrect_identifier_hash),`
			`headers: { 'X-Auth-Token' => token },`
			`as: :json`

			`expect(response).to have_http_status(:unauthorized)`
			`end`

			`it 'returns error when identifier hash is blank' do`
chore: Enhance contact merge action for identified users (#4886) - Discard conflicting keys - Do not merge if there is already an identified contact Co-authored-by: Pranav Raj S <pranav@chatwoot.com> 2022-06-23 10:18:56 +00:00			`patch '/api/v1/widget/contact/set_user',`
fix: Ensure HMAC mandatory when enabled (#3350) Add missing condition checking if HMAC is mandatory. Fixes #3349 2021-11-11 04:18:38 +00:00			`params: params.merge(identifier_hash: ''),`
			`headers: { 'X-Auth-Token' => token },`
			`as: :json`

			`expect(response).to have_http_status(:unauthorized)`
			`end`

			`it 'returns error when identifier hash is not provided' do`
chore: Enhance contact merge action for identified users (#4886) - Discard conflicting keys - Do not merge if there is already an identified contact Co-authored-by: Pranav Raj S <pranav@chatwoot.com> 2022-06-23 10:18:56 +00:00			`patch '/api/v1/widget/contact/set_user',`
fix: Ensure HMAC mandatory when enabled (#3350) Add missing condition checking if HMAC is mandatory. Fixes #3349 2021-11-11 04:18:38 +00:00			`params: params,`
			`headers: { 'X-Auth-Token' => token },`
			`as: :json`

			`expect(response).to have_http_status(:unauthorized)`
			`end`
			`end`
Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`end`
chore: Update `deleteCustomAttribute` method in SDK (#3334) 2021-11-15 09:26:35 +00:00
			`describe 'POST /api/v1/widget/destroy_custom_attributes' do`
			`let(:params) { { website_token: web_widget.website_token, identifier: 'test', custom_attributes: ['test'] } }`

			`context 'with invalid website token' do`
			`it 'returns unauthorized' do`
			`post '/api/v1/widget/destroy_custom_attributes', params: { website_token: '' }`
			`expect(response).to have_http_status(:not_found)`
			`end`
			`end`

			`context 'with correct website token' do`
			`it 'calls destroy custom attributes' do`
			`post '/api/v1/widget/destroy_custom_attributes',`
			`params: params,`
			`headers: { 'X-Auth-Token' => token },`
			`as: :json`
			`expect(contact.reload.custom_attributes).to eq({})`
			`end`
			`end`
			`end`
Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`end`