rama/halobestie-clone
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 4 §2.1: anonymous → existing-user merge breadcrumb

Browse Source 
Adds `customers.account_belongs_to UUID NULL` and refactors customer
sign-in (phone/Google/Apple) so an anon row that re-verifies into an
existing customer no longer 409s. Instead the anon row stays intact
with a breadcrumb pointing at the real customer; tokens are issued
for the existing user. Actual data reconciliation onto the existing
row (chat_sessions, customer_transactions, payment_sessions,
pairing_failures) is deferred.

Backend
- migrate.js: ADD COLUMN account_belongs_to UUID REFERENCES customers(id)
  ON DELETE SET NULL.
- customer.service.js: stampAccountBelongsTo helper; account_belongs_to
  exposed in CUSTOMER_SELECT.
- auth.service.js: new shared resolveCustomerForIdentity (4-case logic);
  normalizeIdentityConflict + IDENTITY_ALREADY_LINKED 409 deleted;
  completeCustomerPhoneSignIn / signInWithGoogle / signInWithApple all
  route through the shared helper.
- client.auth.routes.js: new resolveAnonymousCustomerId picks the anon
  prefix ONLY from a verified Bearer JWT — closes the UUID-leak attack
  where a tamper-able body field could mis-route someone else's
  transactions. /otp/verify, /google, /apple all use it; the body field
  `anonymous_customer_id` is no longer accepted on any of them.
- test/services/auth.service.test.js: 9 Vitest cases covering phone +
  Google + Apple, all 4 logic cases + multi-merge accumulation.

Customer app
- auth_notifier.dart::verifyOtp: drop `skipAuth: true` and the dead
  body field so ApiClient auto-attaches the anon's Bearer from
  AuthBridge. Survives the AuthOtpSentData state transition (the
  earlier `_currentAnonymousCustomerId()` state-drop bug is bypassed by
  sourcing the id from the bridge instead of state).
- Google + Apple client paths remain unchanged (gated on provider
  creds; mirror this fix when wiring lands).

Docs
- flow_customer.mermaid.md: new §2.1 sub-section with the merge
  diagram, schema note, replaces-current-behaviour paragraph, and
  Bearer-only security callout.
- phase3.4-testing.md: §1.5 line 76 simplified (no more per-path
  split); new §1.5.1 with the 5-step operator scenario + DB invariants
  + curl recipe + Vitest pointer; new §1.5.2 covering Google/Apple
  parity (deferred client work flagged).

Verification (against live dev backend, before this commit):
- Vitest: 9/9 in auth.service.test.js; 49/51 overall (2 unrelated
  pre-existing failures in session-timer.service.test.js).
- Operator Node smoke: 14/14 in the §1.5.1 scenario; 11/11 in the
  Bearer-precedence cases.
- Real-device UI walkthrough on SM-A530F still pending — see resume
  memory `project_phase4_2_1_resume_test`.

Sister WIP bundled in migrate.js + customer.service.js: `usp_seen`
column + `markCustomerUspSeen` helper (Phase 4 USP one-time gate, was
already uncommitted in the working tree).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
ramadhan sjamsani
2026-05-13 23:57:53 +08:00
parent 22b10c4bbf
commit a48f108fc0
8 changed files with 596 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
backend/src/db/migrate.js
View File

@@ -654,6 +654,31 @@ const migrate = async () => {
ON CONFLICT (key) DO NOTHING
`
// 5. Phase 4 USP one-time gate. Customers see S5b USP at most once; this flag
// is the cross-device source of truth, OR-merged with a local
// SharedPreferences flag on the client. Existing customers come out as
// false and will see USP one more time on next "aku mau curhat" — business
// accepted this backfill cost.
await sql`
ALTER TABLE customers
ADD COLUMN IF NOT EXISTS usp_seen BOOLEAN NOT NULL DEFAULT FALSE
`
// --- Phase 4 §2.1: Anonymous → existing-user merge breadcrumb ---
//
// When an anonymous customer verifies a phone that already belongs to a
// different (existing) customer row, we don't 409 the OTP and we don't
// delete the anon row (which would orphan its chat_sessions /
// customer_transactions). Instead we stamp account_belongs_to on the anon
// row pointing at the existing customer's id, then log the app in as the
// existing user. Actual data reconciliation (moving FKs onto the existing
// row) is deferred to a later phase — this column is the breadcrumb that
// makes the merge replayable.
await sql`
ALTER TABLE customers
ADD COLUMN IF NOT EXISTS account_belongs_to UUID REFERENCES customers(id) ON DELETE SET NULL
`
console.log('Migration complete.')
await sql.end()
}

78
backend/src/routes/public/client.auth.routes.js
View File

@@ -1,11 +1,16 @@
import { authenticate } from '../../plugins/auth.js'
import { getCustomerById, updateCustomerDisplayName } from '../../services/customer.service.js'
import {
getCustomerById,
markCustomerUspSeen,
updateCustomerDisplayName,
} from '../../services/customer.service.js'
import {
completeCustomerPhoneSignIn,
signInWithGoogle,
signInWithApple,
} from '../../services/auth.service.js'
import { requestOtp, verifyOtp } from '../../services/otp.service.js'
import { verifyAccessToken } from '../../services/token.service.js'
import { UserType } from '../../constants.js'
const extractDeviceInfo = (request) => ({
@@ -13,6 +18,29 @@ const extractDeviceInfo = (request) => ({
ip: request.ip || null,
})
// Phase 4 §2.1 — Resolve the trusted anonymous customer id for the merge path.
// Source of truth is a verified Bearer JWT. The body field was deliberately
// dropped: a tamper-able UUID in the body lets anyone who learns a victim's
// anon id stamp `account_belongs_to` on it, which would mis-route their
// transactions during reconciliation. The JWT is HS256-signed with
// AUTH_JWT_SECRET — un-forgeable.
//
// Rules:
// - Bearer valid + customer + customer.is_anonymous → return that customer id.
// - Bearer valid + customer but NOT anonymous (already verified) → null
// - Bearer absent or invalid → null
const resolveAnonymousCustomerId = async ({ bearer }) => {
if (!bearer || !bearer.startsWith('Bearer ')) return null
try {
const claims = verifyAccessToken(bearer.slice('Bearer '.length))
if (claims.userType !== UserType.CUSTOMER) return null
const customer = await getCustomerById(claims.userId)
return customer?.is_anonymous ? customer.id : null
} catch {
return null
}
}
const sendAuthError = (reply, err) => {
if (!err.statusCode) reply.request.log.error({ err }, 'Unhandled auth error')
return reply.code(err.statusCode || 500).send({
@@ -44,7 +72,7 @@ export const clientAuthRoutes = async (app) => {
})
app.post('/otp/verify', async (request, reply) => {
const { otp_request_id, code, anonymous_customer_id } = request.body || {}
const { otp_request_id, code } = request.body || {}
try {
const { phone, user_type } = await verifyOtp({ otpRequestId: otp_request_id, code })
if (user_type !== UserType.CUSTOMER) {
@@ -53,9 +81,17 @@ export const clientAuthRoutes = async (app) => {
error: { code: 'WRONG_FLOW', message: 'This OTP was issued for a different user type' },
})
}
// Phase 4 §2.1 — the anon prefix used to drive the
// account_belongs_to merge is derived ONLY from the verified Bearer
// JWT. Clients that need the merge must send their anonymous session's
// access_token as `Authorization: Bearer …`. The body field is no
// longer accepted.
const anonymousCustomerId = await resolveAnonymousCustomerId({
bearer: request.headers.authorization,
})
const { tokens, profile } = await completeCustomerPhoneSignIn({
phone,
anonymousCustomerId: anonymous_customer_id || null,
anonymousCustomerId,
deviceInfo: extractDeviceInfo(request),
})
return reply.send({ success: true, data: { ...tokens, profile } })
@@ -67,7 +103,7 @@ export const clientAuthRoutes = async (app) => {
// --- Google ---
app.post('/google', async (request, reply) => {
const { id_token, anonymous_customer_id } = request.body || {}
const { id_token } = request.body || {}
if (!id_token) {
return reply.code(422).send({
success: false,
@@ -75,9 +111,14 @@ export const clientAuthRoutes = async (app) => {
})
}
try {
// Phase 4 §2.1 — anon prefix is derived ONLY from the Bearer JWT;
// body field `anonymous_customer_id` is not accepted.
const anonymousCustomerId = await resolveAnonymousCustomerId({
bearer: request.headers.authorization,
})
const { tokens, profile } = await signInWithGoogle({
idToken: id_token,
anonymousCustomerId: anonymous_customer_id || null,
anonymousCustomerId,
deviceInfo: extractDeviceInfo(request),
})
return reply.send({ success: true, data: { ...tokens, profile } })
@@ -89,7 +130,7 @@ export const clientAuthRoutes = async (app) => {
// --- Apple ---
app.post('/apple', async (request, reply) => {
const { id_token, anonymous_customer_id } = request.body || {}
const { id_token } = request.body || {}
if (!id_token) {
return reply.code(422).send({
success: false,
@@ -97,9 +138,13 @@ export const clientAuthRoutes = async (app) => {
})
}
try {
// Phase 4 §2.1 — same Bearer-only contract as /otp/verify and /google.
const anonymousCustomerId = await resolveAnonymousCustomerId({
bearer: request.headers.authorization,
})
const { tokens, profile } = await signInWithApple({
idToken: id_token,
anonymousCustomerId: anonymous_customer_id || null,
anonymousCustomerId,
deviceInfo: extractDeviceInfo(request),
})
return reply.send({ success: true, data: { ...tokens, profile } })
@@ -127,6 +172,25 @@ export const clientAuthRoutes = async (app) => {
return reply.send({ success: true, data: customer })
})
// --- Phase 4: mark USP screen as seen (one-time gate, idempotent) ---
app.post('/usp-seen', { preHandler: authenticate }, async (request, reply) => {
if (request.auth.userType !== UserType.CUSTOMER) {
return reply.code(403).send({
success: false,
error: { code: 'FORBIDDEN', message: 'Customer account required' },
})
}
const updated = await markCustomerUspSeen(request.auth.userId)
if (!updated) {
return reply.code(404).send({
success: false,
error: { code: 'NOT_FOUND', message: 'Customer account not found' },
})
}
return reply.send({ success: true, data: updated })
})
// --- Update display name ---
app.patch('/profile', { preHandler: authenticate }, async (request, reply) => {

115
backend/src/services/auth.service.js
View File

@@ -7,6 +7,7 @@ import {
createAnonymousCustomerV2,
createCustomerWithIdentity,
upgradeCustomerIdentity,
stampAccountBelongsTo,
} from './customer.service.js'
import {
getMitraByPhone,
@@ -38,15 +39,37 @@ export class AuthError extends Error {
}
}
const normalizeIdentityConflict = async ({ existing, anonymousCustomerId }) => {
// If an authenticated identity is already linked to a DIFFERENT customer,
// reject. Merge is deferred per PRD.
if (existing && anonymousCustomerId && existing.id !== anonymousCustomerId) {
throw new AuthError(
'This account is already linked to another session. Please log out first.',
'IDENTITY_ALREADY_LINKED', 409,
)
// Phase 4 §2.1 — shared identity-resolution path used by phone/Google/Apple
// sign-ins. Three branches:
//
// 1. existing identity row + anon prefix points at a different row
// → stamp `account_belongs_to` on the anon row and return the existing
// row. The anon row stays intact so its prior chat_sessions /
// customer_transactions FKs remain valid; reconciliation onto the
// existing customer is replayable later via the breadcrumb.
// 2. existing identity row (no anon, or anon id == existing.id)
// → return existing as-is.
// 3. no existing row + anon prefix
// → upgrade the anon row in place (set identity fields, preserve
// display_name etc. via COALESCE).
// 4. no existing row + no anon
// → create a fresh identified customer with display_name=null (client
// routes to the set-display-name screen).
//
// `identityFields` is the set of columns added by either upgrade or create
// (phone, google_sub+email, apple_sub+email). display_name=null is appended
// automatically for the create case.
const resolveCustomerForIdentity = async ({ existing, anonymousCustomerId, identityFields }) => {
if (existing) {
if (anonymousCustomerId && existing.id !== anonymousCustomerId) {
await stampAccountBelongsTo(anonymousCustomerId, existing.id)
}
return existing
}
if (anonymousCustomerId) {
return await upgradeCustomerIdentity(anonymousCustomerId, identityFields)
}
return await createCustomerWithIdentity({ ...identityFields, display_name: null })
}
// --- Anonymous ---
@@ -63,21 +86,14 @@ export const signInAnonymous = async ({ deviceInfo } = {}) => {
return { tokens, profile: customer }
}
// --- Phone OTP — Customer ---
// --- Phone OTP — Customer (Phase 4 §2.1 merge breadcrumb) ---
export const completeCustomerPhoneSignIn = async ({ phone, anonymousCustomerId, deviceInfo }) => {
const existing = await getCustomerByPhone(phone)
await normalizeIdentityConflict({ existing, anonymousCustomerId })
let customer
if (existing) {
customer = existing
} else if (anonymousCustomerId) {
customer = await upgradeCustomerIdentity(anonymousCustomerId, { phone })
} else {
customer = await createCustomerWithIdentity({ phone, display_name: null })
}
const customer = await resolveCustomerForIdentity({
existing,
anonymousCustomerId,
identityFields: { phone },
})
const tokens = await issueTokens({
userType: UserType.CUSTOMER,
userId: customer.id,
@@ -101,32 +117,18 @@ export const completeMitraPhoneSignIn = async ({ phone, deviceInfo }) => {
return { tokens, profile: mitra }
}
// --- Google (customer only) ---
// --- Google (customer only) — Phase 4 §2.1 merge breadcrumb ---
//
// We don't pull display_name from Google; the anon's display_name is
// preserved via upgradeCustomerIdentity's COALESCE.
export const signInWithGoogle = async ({ idToken, anonymousCustomerId, deviceInfo }) => {
const google = await verifyGoogleIdToken(idToken)
const existing = await getCustomerByGoogleSub(google.sub)
await normalizeIdentityConflict({ existing, anonymousCustomerId })
let customer
if (existing) {
customer = existing
} else if (anonymousCustomerId) {
// Preserve the anonymous display_name; we don't pull name from Google.
customer = await upgradeCustomerIdentity(anonymousCustomerId, {
google_sub: google.sub,
email: google.email,
})
} else {
// No anonymous bootstrap → display_name is null; frontend routes to
// the set-display-name screen.
customer = await createCustomerWithIdentity({
google_sub: google.sub,
email: google.email,
display_name: null,
})
}
const customer = await resolveCustomerForIdentity({
existing,
anonymousCustomerId,
identityFields: { google_sub: google.sub, email: google.email },
})
const tokens = await issueTokens({
userType: UserType.CUSTOMER,
userId: customer.id,
@@ -135,29 +137,16 @@ export const signInWithGoogle = async ({ idToken, anonymousCustomerId, deviceInf
return { tokens, profile: customer }
}
// --- Apple (customer only) ---
// --- Apple (customer only) — Phase 4 §2.1 merge breadcrumb ---
export const signInWithApple = async ({ idToken, anonymousCustomerId, deviceInfo }) => {
const apple = await verifyAppleIdToken(idToken)
const existing = await getCustomerByAppleSub(apple.sub)
await normalizeIdentityConflict({ existing, anonymousCustomerId })
let customer
if (existing) {
customer = existing
} else if (anonymousCustomerId) {
customer = await upgradeCustomerIdentity(anonymousCustomerId, {
apple_sub: apple.sub,
email: apple.email,
})
} else {
customer = await createCustomerWithIdentity({
apple_sub: apple.sub,
email: apple.email,
display_name: null,
})
}
const customer = await resolveCustomerForIdentity({
existing,
anonymousCustomerId,
identityFields: { apple_sub: apple.sub, email: apple.email },
})
const tokens = await issueTokens({
userType: UserType.CUSTOMER,
userId: customer.id,

29
backend/src/services/customer.service.js
View File

@@ -13,7 +13,7 @@ export const updateCustomerDisplayName = async (customerId, displayName) => {
// --- Phase 3.4: Self-Managed Auth ---
const CUSTOMER_SELECT = sql`id, display_name, is_anonymous, phone, email, google_sub, apple_sub, created_at`
const CUSTOMER_SELECT = sql`id, display_name, is_anonymous, phone, email, google_sub, apple_sub, usp_seen, account_belongs_to, created_at`
export const getCustomerById = async (id) => {
const [row] = await sql`SELECT ${CUSTOMER_SELECT} FROM customers WHERE id = ${id}`
@@ -79,3 +79,30 @@ export const upgradeCustomerIdentity = async (customerId, {
`
return row
}
// --- Phase 4 §2.1: Anonymous → existing merge breadcrumb ---
// Stamps the anon-row with the existing customer's id. The anon row stays
// intact (preserving its chat_sessions/customer_transactions FKs); the
// breadcrumb makes the data reconciliation replayable in a later phase.
// Returns the updated anon row (mostly for tests/audit).
export const stampAccountBelongsTo = async (anonCustomerId, existingCustomerId) => {
const [row] = await sql`
UPDATE customers
SET account_belongs_to = ${existingCustomerId}
WHERE id = ${anonCustomerId}
RETURNING ${CUSTOMER_SELECT}
`
return row
}
// --- Phase 4: USP one-time gate ---
export const markCustomerUspSeen = async (customerId) => {
const [row] = await sql`
UPDATE customers SET usp_seen = TRUE
WHERE id = ${customerId}
RETURNING ${CUSTOMER_SELECT}
`
return row
}

223
backend/test/services/auth.service.test.js Normal file
View File

@@ -0,0 +1,223 @@
import { describe, it, expect, beforeEach, vi } from 'vitest'
import { randomUUID } from 'node:crypto'
// Stub the social-identity verifiers so Google/Apple tests don't need real
// id_tokens. Each test passes the synthetic payload directly via the
// id_token string and the mock returns it parsed.
vi.mock('../../src/services/social-identity.service.js', () => ({
verifyGoogleIdToken: vi.fn(async (idToken) => JSON.parse(idToken)),
verifyAppleIdToken: vi.fn(async (idToken) => JSON.parse(idToken)),
}))
const {
completeCustomerPhoneSignIn,
signInWithGoogle,
signInWithApple,
} = await import('../../src/services/auth.service.js')
const { db, resetDb } = await import('../helpers/db.js')
const { createCustomer } = await import('../helpers/fixtures.js')
// Phase 4 §2.1 — Anonymous → existing-user merge breadcrumb.
//
// `resetDb` does NOT truncate the customers table (see helpers/db.js); each
// test must use a phone that's unique across runs to avoid colliding with rows
// left behind by prior runs.
const uniquePhone = () => {
const digits = randomUUID().replace(/[^0-9]/g, '').slice(0, 11).padEnd(11, '0')
return `+628${digits}`
}
describe('completeCustomerPhoneSignIn — Phase 4 §2.1 merge breadcrumb', () => {
beforeEach(async () => {
await resetDb()
})
// --- Case 4: no anon prefix, new phone ---
it('creates a fresh identified customer with null display_name (no anon, new phone)', async () => {
const phone = uniquePhone()
const { profile } = await completeCustomerPhoneSignIn({
phone,
anonymousCustomerId: null,
deviceInfo: {},
})
expect(profile.phone).toBe(phone)
expect(profile.display_name).toBeNull()
expect(profile.is_anonymous).toBe(false)
expect(profile.account_belongs_to).toBeNull()
})
// --- Case 3: anon prefix, new phone → upgrade in place ---
it('upgrades the anon row in place, preserving display_name (anon, new phone)', async () => {
const phone = uniquePhone()
const anon = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const { profile } = await completeCustomerPhoneSignIn({
phone,
anonymousCustomerId: anon.id,
deviceInfo: {},
})
expect(profile.id).toBe(anon.id) // same row, upgraded
expect(profile.phone).toBe(phone)
expect(profile.display_name).toBe('Bujak') // preserved via COALESCE
expect(profile.is_anonymous).toBe(false)
expect(profile.account_belongs_to).toBeNull() // no merge
// No new customer row was created.
const sql = db()
const [{ count }] = await sql`SELECT COUNT(*)::int AS count FROM customers WHERE phone = ${phone}`
expect(count).toBe(1)
})
// --- Case 1: anon prefix, existing phone → stamp breadcrumb, return existing ---
it('stamps account_belongs_to on the anon row and returns the existing customer (anon, existing phone)', async () => {
const phone = uniquePhone()
const existing = await createCustomer({ callName: 'Wati', phone, isAnonymous: false })
const anon = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const { profile, tokens } = await completeCustomerPhoneSignIn({
phone,
anonymousCustomerId: anon.id,
deviceInfo: {},
})
// The session logs in AS the existing user.
expect(profile.id).toBe(existing.id)
expect(profile.display_name).toBe('Wati') // existing's name, overwrites local
expect(profile.phone).toBe(phone)
expect(profile.account_belongs_to).toBeNull() // existing row is the target, not stamped
// Token claims point at the existing user (so subsequent requests act as them).
expect(tokens.access_token).toBeDefined()
// Anon row stays intact, now carries the merge breadcrumb.
const sql = db()
const [anonRow] = await sql`SELECT id, display_name, account_belongs_to, is_anonymous FROM customers WHERE id = ${anon.id}`
expect(anonRow).toBeDefined() // not deleted
expect(anonRow.display_name).toBe('Bujak') // preserved
expect(anonRow.account_belongs_to).toBe(existing.id) // breadcrumb stamped
expect(anonRow.is_anonymous).toBe(true) // still anon (for later reconciliation)
})
// --- Case 2a: no anon prefix, existing phone → return existing, no stamping ---
it('returns the existing customer as-is when no anon prefix (existing phone, fresh app)', async () => {
const phone = uniquePhone()
const existing = await createCustomer({ callName: 'Wati', phone, isAnonymous: false })
const { profile } = await completeCustomerPhoneSignIn({
phone,
anonymousCustomerId: null,
deviceInfo: {},
})
expect(profile.id).toBe(existing.id)
expect(profile.display_name).toBe('Wati')
expect(profile.account_belongs_to).toBeNull()
})
// --- Case 2b: anon id === existing's id (user re-verifying own phone) ---
// No-op merge. account_belongs_to stays null; no self-reference is created.
it('does not self-stamp when the anon id equals the existing customer id (re-verify)', async () => {
const phone = uniquePhone()
const existing = await createCustomer({ callName: 'Wati', phone, isAnonymous: false })
const { profile } = await completeCustomerPhoneSignIn({
phone,
anonymousCustomerId: existing.id, // same id as the existing row
deviceInfo: {},
})
expect(profile.id).toBe(existing.id)
expect(profile.account_belongs_to).toBeNull()
// Verify nothing self-referenced.
const sql = db()
const [row] = await sql`SELECT account_belongs_to FROM customers WHERE id = ${existing.id}`
expect(row.account_belongs_to).toBeNull()
})
// --- Google: stamp breadcrumb on existing-different-id (parity with phone) ---
it('Google: stamps account_belongs_to when existing google_sub differs from anon (Case 1)', async () => {
const googleSub = `g-${randomUUID()}`
const [existing] = await db()`
INSERT INTO customers (display_name, is_anonymous, google_sub, email)
VALUES ('Wati', false, ${googleSub}, 'wati@example.com')
RETURNING ${db()`id, display_name, is_anonymous, phone, email, google_sub, apple_sub, usp_seen, account_belongs_to, created_at`}
`
const anon = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const { profile } = await signInWithGoogle({
idToken: JSON.stringify({ sub: googleSub, email: 'wati@example.com' }),
anonymousCustomerId: anon.id,
deviceInfo: {},
})
expect(profile.id).toBe(existing.id)
expect(profile.display_name).toBe('Wati')
const [anonRow] = await db()`SELECT account_belongs_to FROM customers WHERE id = ${anon.id}`
expect(anonRow.account_belongs_to).toBe(existing.id)
})
// --- Google: upgrade-in-place when google_sub is new ---
it('Google: upgrades anon in place when google_sub is new, preserving display_name (Case 3)', async () => {
const googleSub = `g-${randomUUID()}`
const anon = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const { profile } = await signInWithGoogle({
idToken: JSON.stringify({ sub: googleSub, email: 'bujak@example.com' }),
anonymousCustomerId: anon.id,
deviceInfo: {},
})
expect(profile.id).toBe(anon.id)
expect(profile.google_sub).toBe(googleSub)
expect(profile.email).toBe('bujak@example.com')
expect(profile.display_name).toBe('Bujak')
expect(profile.is_anonymous).toBe(false)
expect(profile.account_belongs_to).toBeNull()
})
// --- Apple: stamp breadcrumb on existing-different-id (parity with phone) ---
it('Apple: stamps account_belongs_to when existing apple_sub differs from anon (Case 1)', async () => {
const appleSub = `a-${randomUUID()}`
const [existing] = await db()`
INSERT INTO customers (display_name, is_anonymous, apple_sub, email)
VALUES ('Wati', false, ${appleSub}, 'wati@apple.example')
RETURNING ${db()`id, display_name, is_anonymous, phone, email, google_sub, apple_sub, usp_seen, account_belongs_to, created_at`}
`
const anon = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const { profile } = await signInWithApple({
idToken: JSON.stringify({ sub: appleSub, email: 'wati@apple.example' }),
anonymousCustomerId: anon.id,
deviceInfo: {},
})
expect(profile.id).toBe(existing.id)
expect(profile.display_name).toBe('Wati')
const [anonRow] = await db()`SELECT account_belongs_to FROM customers WHERE id = ${anon.id}`
expect(anonRow.account_belongs_to).toBe(existing.id)
})
// --- Multi-merge: same anon path used twice for the same existing user accumulates without conflict ---
it('handles multiple anon rows pointing at the same existing user (multi-merge accumulation)', async () => {
const phone = uniquePhone()
const existing = await createCustomer({ callName: 'Wati', phone, isAnonymous: false })
const anon1 = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const anon2 = await createCustomer({ callName: 'Bendoyo', isAnonymous: true })
await completeCustomerPhoneSignIn({ phone, anonymousCustomerId: anon1.id, deviceInfo: {} })
await completeCustomerPhoneSignIn({ phone, anonymousCustomerId: anon2.id, deviceInfo: {} })
const sql = db()
const rows = await sql`SELECT id, account_belongs_to FROM customers WHERE id IN (${anon1.id}, ${anon2.id}) ORDER BY display_name`
expect(rows).toHaveLength(2)
for (const row of rows) {
expect(row.account_belongs_to).toBe(existing.id)
}
})
})