rama/halobestie-clone
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 4 §2.1: anonymous → existing-user merge breadcrumb

Browse Source 
Adds `customers.account_belongs_to UUID NULL` and refactors customer
sign-in (phone/Google/Apple) so an anon row that re-verifies into an
existing customer no longer 409s. Instead the anon row stays intact
with a breadcrumb pointing at the real customer; tokens are issued
for the existing user. Actual data reconciliation onto the existing
row (chat_sessions, customer_transactions, payment_sessions,
pairing_failures) is deferred.

Backend
- migrate.js: ADD COLUMN account_belongs_to UUID REFERENCES customers(id)
  ON DELETE SET NULL.
- customer.service.js: stampAccountBelongsTo helper; account_belongs_to
  exposed in CUSTOMER_SELECT.
- auth.service.js: new shared resolveCustomerForIdentity (4-case logic);
  normalizeIdentityConflict + IDENTITY_ALREADY_LINKED 409 deleted;
  completeCustomerPhoneSignIn / signInWithGoogle / signInWithApple all
  route through the shared helper.
- client.auth.routes.js: new resolveAnonymousCustomerId picks the anon
  prefix ONLY from a verified Bearer JWT — closes the UUID-leak attack
  where a tamper-able body field could mis-route someone else's
  transactions. /otp/verify, /google, /apple all use it; the body field
  `anonymous_customer_id` is no longer accepted on any of them.
- test/services/auth.service.test.js: 9 Vitest cases covering phone +
  Google + Apple, all 4 logic cases + multi-merge accumulation.

Customer app
- auth_notifier.dart::verifyOtp: drop `skipAuth: true` and the dead
  body field so ApiClient auto-attaches the anon's Bearer from
  AuthBridge. Survives the AuthOtpSentData state transition (the
  earlier `_currentAnonymousCustomerId()` state-drop bug is bypassed by
  sourcing the id from the bridge instead of state).
- Google + Apple client paths remain unchanged (gated on provider
  creds; mirror this fix when wiring lands).

Docs
- flow_customer.mermaid.md: new §2.1 sub-section with the merge
  diagram, schema note, replaces-current-behaviour paragraph, and
  Bearer-only security callout.
- phase3.4-testing.md: §1.5 line 76 simplified (no more per-path
  split); new §1.5.1 with the 5-step operator scenario + DB invariants
  + curl recipe + Vitest pointer; new §1.5.2 covering Google/Apple
  parity (deferred client work flagged).

Verification (against live dev backend, before this commit):
- Vitest: 9/9 in auth.service.test.js; 49/51 overall (2 unrelated
  pre-existing failures in session-timer.service.test.js).
- Operator Node smoke: 14/14 in the §1.5.1 scenario; 11/11 in the
  Bearer-precedence cases.
- Real-device UI walkthrough on SM-A530F still pending — see resume
  memory `project_phase4_2_1_resume_test`.

Sister WIP bundled in migrate.js + customer.service.js: `usp_seen`
column + `markCustomerUspSeen` helper (Phase 4 USP one-time gate, was
already uncommitted in the working tree).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
ramadhan sjamsani
2026-05-13 23:57:53 +08:00
parent 22b10c4bbf
commit a48f108fc0
8 changed files with 596 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

223
backend/test/services/auth.service.test.js Normal file
View File

@@ -0,0 +1,223 @@
import { describe, it, expect, beforeEach, vi } from 'vitest'
import { randomUUID } from 'node:crypto'
// Stub the social-identity verifiers so Google/Apple tests don't need real
// id_tokens. Each test passes the synthetic payload directly via the
// id_token string and the mock returns it parsed.
vi.mock('../../src/services/social-identity.service.js', () => ({
verifyGoogleIdToken: vi.fn(async (idToken) => JSON.parse(idToken)),
verifyAppleIdToken: vi.fn(async (idToken) => JSON.parse(idToken)),
}))
const {
completeCustomerPhoneSignIn,
signInWithGoogle,
signInWithApple,
} = await import('../../src/services/auth.service.js')
const { db, resetDb } = await import('../helpers/db.js')
const { createCustomer } = await import('../helpers/fixtures.js')
// Phase 4 §2.1 — Anonymous → existing-user merge breadcrumb.
//
// `resetDb` does NOT truncate the customers table (see helpers/db.js); each
// test must use a phone that's unique across runs to avoid colliding with rows
// left behind by prior runs.
const uniquePhone = () => {
const digits = randomUUID().replace(/[^0-9]/g, '').slice(0, 11).padEnd(11, '0')
return `+628${digits}`
}
describe('completeCustomerPhoneSignIn — Phase 4 §2.1 merge breadcrumb', () => {
beforeEach(async () => {
await resetDb()
})
// --- Case 4: no anon prefix, new phone ---
it('creates a fresh identified customer with null display_name (no anon, new phone)', async () => {
const phone = uniquePhone()
const { profile } = await completeCustomerPhoneSignIn({
phone,
anonymousCustomerId: null,
deviceInfo: {},
})
expect(profile.phone).toBe(phone)
expect(profile.display_name).toBeNull()
expect(profile.is_anonymous).toBe(false)
expect(profile.account_belongs_to).toBeNull()
})
// --- Case 3: anon prefix, new phone → upgrade in place ---
it('upgrades the anon row in place, preserving display_name (anon, new phone)', async () => {
const phone = uniquePhone()
const anon = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const { profile } = await completeCustomerPhoneSignIn({
phone,
anonymousCustomerId: anon.id,
deviceInfo: {},
})
expect(profile.id).toBe(anon.id) // same row, upgraded
expect(profile.phone).toBe(phone)
expect(profile.display_name).toBe('Bujak') // preserved via COALESCE
expect(profile.is_anonymous).toBe(false)
expect(profile.account_belongs_to).toBeNull() // no merge
// No new customer row was created.
const sql = db()
const [{ count }] = await sql`SELECT COUNT(*)::int AS count FROM customers WHERE phone = ${phone}`
expect(count).toBe(1)
})
// --- Case 1: anon prefix, existing phone → stamp breadcrumb, return existing ---
it('stamps account_belongs_to on the anon row and returns the existing customer (anon, existing phone)', async () => {
const phone = uniquePhone()
const existing = await createCustomer({ callName: 'Wati', phone, isAnonymous: false })
const anon = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const { profile, tokens } = await completeCustomerPhoneSignIn({
phone,
anonymousCustomerId: anon.id,
deviceInfo: {},
})
// The session logs in AS the existing user.
expect(profile.id).toBe(existing.id)
expect(profile.display_name).toBe('Wati') // existing's name, overwrites local
expect(profile.phone).toBe(phone)
expect(profile.account_belongs_to).toBeNull() // existing row is the target, not stamped
// Token claims point at the existing user (so subsequent requests act as them).
expect(tokens.access_token).toBeDefined()
// Anon row stays intact, now carries the merge breadcrumb.
const sql = db()
const [anonRow] = await sql`SELECT id, display_name, account_belongs_to, is_anonymous FROM customers WHERE id = ${anon.id}`
expect(anonRow).toBeDefined() // not deleted
expect(anonRow.display_name).toBe('Bujak') // preserved
expect(anonRow.account_belongs_to).toBe(existing.id) // breadcrumb stamped
expect(anonRow.is_anonymous).toBe(true) // still anon (for later reconciliation)
})
// --- Case 2a: no anon prefix, existing phone → return existing, no stamping ---
it('returns the existing customer as-is when no anon prefix (existing phone, fresh app)', async () => {
const phone = uniquePhone()
const existing = await createCustomer({ callName: 'Wati', phone, isAnonymous: false })
const { profile } = await completeCustomerPhoneSignIn({
phone,
anonymousCustomerId: null,
deviceInfo: {},
})
expect(profile.id).toBe(existing.id)
expect(profile.display_name).toBe('Wati')
expect(profile.account_belongs_to).toBeNull()
})
// --- Case 2b: anon id === existing's id (user re-verifying own phone) ---
// No-op merge. account_belongs_to stays null; no self-reference is created.
it('does not self-stamp when the anon id equals the existing customer id (re-verify)', async () => {
const phone = uniquePhone()
const existing = await createCustomer({ callName: 'Wati', phone, isAnonymous: false })
const { profile } = await completeCustomerPhoneSignIn({
phone,
anonymousCustomerId: existing.id, // same id as the existing row
deviceInfo: {},
})
expect(profile.id).toBe(existing.id)
expect(profile.account_belongs_to).toBeNull()
// Verify nothing self-referenced.
const sql = db()
const [row] = await sql`SELECT account_belongs_to FROM customers WHERE id = ${existing.id}`
expect(row.account_belongs_to).toBeNull()
})
// --- Google: stamp breadcrumb on existing-different-id (parity with phone) ---
it('Google: stamps account_belongs_to when existing google_sub differs from anon (Case 1)', async () => {
const googleSub = `g-${randomUUID()}`
const [existing] = await db()`
INSERT INTO customers (display_name, is_anonymous, google_sub, email)
VALUES ('Wati', false, ${googleSub}, 'wati@example.com')
RETURNING ${db()`id, display_name, is_anonymous, phone, email, google_sub, apple_sub, usp_seen, account_belongs_to, created_at`}
`
const anon = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const { profile } = await signInWithGoogle({
idToken: JSON.stringify({ sub: googleSub, email: 'wati@example.com' }),
anonymousCustomerId: anon.id,
deviceInfo: {},
})
expect(profile.id).toBe(existing.id)
expect(profile.display_name).toBe('Wati')
const [anonRow] = await db()`SELECT account_belongs_to FROM customers WHERE id = ${anon.id}`
expect(anonRow.account_belongs_to).toBe(existing.id)
})
// --- Google: upgrade-in-place when google_sub is new ---
it('Google: upgrades anon in place when google_sub is new, preserving display_name (Case 3)', async () => {
const googleSub = `g-${randomUUID()}`
const anon = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const { profile } = await signInWithGoogle({
idToken: JSON.stringify({ sub: googleSub, email: 'bujak@example.com' }),
anonymousCustomerId: anon.id,
deviceInfo: {},
})
expect(profile.id).toBe(anon.id)
expect(profile.google_sub).toBe(googleSub)
expect(profile.email).toBe('bujak@example.com')
expect(profile.display_name).toBe('Bujak')
expect(profile.is_anonymous).toBe(false)
expect(profile.account_belongs_to).toBeNull()
})
// --- Apple: stamp breadcrumb on existing-different-id (parity with phone) ---
it('Apple: stamps account_belongs_to when existing apple_sub differs from anon (Case 1)', async () => {
const appleSub = `a-${randomUUID()}`
const [existing] = await db()`
INSERT INTO customers (display_name, is_anonymous, apple_sub, email)
VALUES ('Wati', false, ${appleSub}, 'wati@apple.example')
RETURNING ${db()`id, display_name, is_anonymous, phone, email, google_sub, apple_sub, usp_seen, account_belongs_to, created_at`}
`
const anon = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const { profile } = await signInWithApple({
idToken: JSON.stringify({ sub: appleSub, email: 'wati@apple.example' }),
anonymousCustomerId: anon.id,
deviceInfo: {},
})
expect(profile.id).toBe(existing.id)
expect(profile.display_name).toBe('Wati')
const [anonRow] = await db()`SELECT account_belongs_to FROM customers WHERE id = ${anon.id}`
expect(anonRow.account_belongs_to).toBe(existing.id)
})
// --- Multi-merge: same anon path used twice for the same existing user accumulates without conflict ---
it('handles multiple anon rows pointing at the same existing user (multi-merge accumulation)', async () => {
const phone = uniquePhone()
const existing = await createCustomer({ callName: 'Wati', phone, isAnonymous: false })
const anon1 = await createCustomer({ callName: 'Bujak', isAnonymous: true })
const anon2 = await createCustomer({ callName: 'Bendoyo', isAnonymous: true })
await completeCustomerPhoneSignIn({ phone, anonymousCustomerId: anon1.id, deviceInfo: {} })
await completeCustomerPhoneSignIn({ phone, anonymousCustomerId: anon2.id, deviceInfo: {} })
const sql = db()
const rows = await sql`SELECT id, account_belongs_to FROM customers WHERE id IN (${anon1.id}, ${anon2.id}) ORDER BY display_name`
expect(rows).toHaveLength(2)
for (const row of rows) {
expect(row.account_belongs_to).toBe(existing.id)
}
})
})