Ramadhan Sjamsani
2c95fd040d
- Backend wraps idn-finlogos npm at /assets/payment-icons/<slug>.svg with
1y immutable cache. Mobile drops bundled SVGs (only placeholder remains)
and fetches via flutter_cache_manager. payment_methods.icon is now a
CSV of slugs; catalog emits icon_urls[]. CARDS tile renders Visa + MC +
JCB side by side.
- Per-method min/max amount bounds (BIGINT, nullable). Picker greys out
out-of-range tiles with subtitle; backend gates with INVALID_PAYMENT_AMOUNT
(422). Defense in depth against stale-catalog clients.
- Xendit channel codes corrected from authoritative docs
(BCA_VA -> BCA_VIRTUAL_ACCOUNT, CREDIT_CARD -> CARDS, ovo -> ovo-new,
shopeepay -> shopee-pay, ...). 18 methods x 5 groups seeded with
Xendit-published per-channel min/max.
- Re-runnable seed (ON CONFLICT DO NOTHING on payment_code + new unique
index on group name). Operator CC edits never clobbered across re-runs.
One-shot reset + inspect scripts under backend/.dev/.
- Customer redirect HTML pages at /payment/return/{success,failure},
brand-styled with "Buka HaloBestie" CTA firing halobestie:// deeplink.
URL scheme registered on Android (intent-filter w/ BROWSABLE on
MainActivity) and iOS (CFBundleURLTypes). Waiting-payment poller still
owns confirmation; deeplink just brings the activity to foreground.
- Control center payment-catalog page: min/max inputs + columns. Other
CC pages restyled with new theme tokens (separate work, bundled here).
169/169 backend tests pass. See requirement/phase5-payment-revamp-2026-05-27.md
for the full revamp doc. Stage 8 (E2E) still pending: webhook URL routing
decision + two client_app follow-ups (legacy /chat/request removal,
extension Custom Tab).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
60 lines
2.0 KiB
JavaScript
60 lines
2.0 KiB
JavaScript
import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest'
|
|
|
|
vi.mock('../../src/plugins/websocket.js', () => ({
|
|
sendToUser: vi.fn(() => false),
|
|
sendToSessionParticipant: vi.fn(() => false),
|
|
registerWebSocketPlugin: vi.fn(async () => {}),
|
|
registerWebSocketRoute: vi.fn(),
|
|
isUserOnlineWs: vi.fn(() => false),
|
|
getSessionConnections: vi.fn(() => ({})),
|
|
}))
|
|
vi.mock('../../src/services/notification.service.js', () => ({
|
|
sendPushNotification: vi.fn(async () => true),
|
|
registerDeviceToken: vi.fn(async () => {}),
|
|
}))
|
|
|
|
const { buildPublic } = await import('../helpers/server.js')
|
|
|
|
describe('GET /assets/payment-icons/:slug.svg', () => {
|
|
let app
|
|
|
|
beforeAll(async () => {
|
|
app = await buildPublic()
|
|
})
|
|
|
|
afterAll(async () => {
|
|
await app.close()
|
|
})
|
|
|
|
it('serves a known idn-finlogos slug with svg content-type and immutable cache', async () => {
|
|
// 'qris' is one of our seeded slugs and is shipped by idn-finlogos.
|
|
const res = await app.inject({ method: 'GET', url: '/assets/payment-icons/qris.svg' })
|
|
expect(res.statusCode).toBe(200)
|
|
expect(res.headers['content-type']).toBe('image/svg+xml')
|
|
expect(res.headers['cache-control']).toBe('public, max-age=31536000, immutable')
|
|
expect(res.body).toMatch(/^<\?xml|^<svg/)
|
|
})
|
|
|
|
it('404s on an unknown slug', async () => {
|
|
const res = await app.inject({
|
|
method: 'GET',
|
|
url: '/assets/payment-icons/definitely-not-a-real-bank.svg',
|
|
})
|
|
expect(res.statusCode).toBe(404)
|
|
const body = JSON.parse(res.body)
|
|
expect(body.error.code).toBe('NOT_FOUND')
|
|
})
|
|
|
|
it('404s on slug with path-traversal characters', async () => {
|
|
// Fastify normalises `..` in the URL, so this resolves to the parent
|
|
// route; we still expect a 404 (no SVG matches) — but the SLUG_RE guard
|
|
// is what would catch an unencoded attempt if a router ever let one
|
|
// through, so we cover its negative case here.
|
|
const res = await app.inject({
|
|
method: 'GET',
|
|
url: '/assets/payment-icons/UPPER.svg',
|
|
})
|
|
expect(res.statusCode).toBe(404)
|
|
})
|
|
})
|