test(auth,payments,subs): add 58 unit tests for critical auth, payment, and subscription paths

Cover auth handlers (RegisterUser, LoginUser, RefreshToken), TokenService
(token rotation, reuse attack detection), payment callback edge cases
(duplicate/concurrent callbacks, multi-provider), subscription lifecycle
transitions (expire, pastDue, renew), and throttler proxy guard.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

e2e/global-setup.ts

@@ -0,0 +1,55 @@
+/* eslint-disable no-console */
+import { execSync } from 'node:child_process';
+import path from 'node:path';
+
+/**
+ * Playwright globalSetup — runs once before all E2E tests.
+ *
+ * 1. Loads .env.test (if present) so DATABASE_URL points to the test DB.
+ * 2. Runs Prisma migrations against the test database.
+ * 3. Seeds the test database with sample data.
+ */
+export default async function globalSetup() {
+  const root = path.resolve(__dirname, '..');
+  const envTestPath = path.join(root, '.env.test');
+  const isCI = !!process.env.CI;
+
+  // In CI, env vars are already set by the workflow; locally, load .env.test
+  if (!isCI) {
+    const { config } = await import('dotenv');
+    config({ path: envTestPath, override: true });
+  }
+
+  const databaseUrl = process.env.DATABASE_URL;
+  if (!databaseUrl) {
+    throw new Error(
+      'DATABASE_URL is not set. Create .env.test or set it in your environment.',
+    );
+  }
+
+  // In CI, the workflow already runs migrations + seed before Playwright.
+  // Skip to avoid duplicate work; only validate DATABASE_URL is set.
+  if (isCI) {
+    console.log('[E2E globalSetup] CI detected — skipping migrations/seed (handled by workflow).');
+    return;
+  }
+
+  console.log('\n[E2E globalSetup] Preparing test database...');
+  console.log(`[E2E globalSetup] DATABASE_URL = ${databaseUrl.replace(/\/\/.*@/, '//***@')}`);
+
+  const execOpts = {
+    cwd: root,
+    stdio: 'inherit' as const,
+    env: { ...process.env, DATABASE_URL: databaseUrl },
+  };
+
+  // Run migrations (deploy = no interactive prompts, safe for test)
+  console.log('[E2E globalSetup] Running prisma migrate deploy...');
+  execSync('npx prisma migrate deploy', execOpts);
+
+  // Seed database (upserts are idempotent)
+  console.log('[E2E globalSetup] Seeding test database...');
+  execSync('npx prisma db seed', execOpts);
+
+  console.log('[E2E globalSetup] Test database ready.\n');
+}

e2e/global-teardown.ts

@@ -0,0 +1,78 @@
+/* eslint-disable no-console */
+import path from 'node:path';
+
+/**
+ * Playwright globalTeardown — runs once after all E2E tests.
+ *
+ * Cleans up test-generated data (users, listings, etc.) while preserving
+ * seed data for the next run. This ensures isolation between test runs.
+ */
+export default async function globalTeardown() {
+  const root = path.resolve(__dirname, '..');
+  const isCI = !!process.env.CI;
+
+  if (!isCI) {
+    const { config } = await import('dotenv');
+    config({ path: path.join(root, '.env.test'), override: true });
+  }
+
+  const databaseUrl = process.env.DATABASE_URL;
+  if (!databaseUrl) {
+    console.warn('[E2E globalTeardown] DATABASE_URL not set, skipping cleanup.');
+    return;
+  }
+
+  console.log('\n[E2E globalTeardown] Cleaning up test-generated data...');
+
+  // Dynamic import to avoid top-level side effects
+  const pg = await import('pg');
+  const pool = new pg.default.Pool({ connectionString: databaseUrl });
+
+  try {
+    // Delete test-generated records (those NOT created by seed).
+    // Seed data uses known IDs (prop-1..prop-5, listing-1..listing-5)
+    // and known phones (0900000001..0900000005).
+    // Test fixtures generate users with phone starting with '09' + timestamp digits.
+    //
+    // Order matters due to foreign key constraints.
+    // Seed phones and IDs to preserve between runs
+    const SEED_PHONES = `('0900000001','0900000002','0900000003','0900000004','0900000005')`;
+    const SEED_LISTING_IDS = `('listing-1','listing-2','listing-3','listing-4','listing-5')`;
+    const SEED_PROP_IDS = `('prop-1','prop-2','prop-3','prop-4','prop-5')`;
+    const NON_SEED_USERS = `SELECT id FROM "User" WHERE phone NOT IN ${SEED_PHONES}`;
+
+    await pool.query(`
+      -- Delete test-generated data in dependency order (FK-safe)
+      DELETE FROM "NotificationLog" WHERE "userId" IN (${NON_SEED_USERS});
+      DELETE FROM "NotificationPreference" WHERE "userId" IN (${NON_SEED_USERS});
+      DELETE FROM "Review" WHERE "reviewerId" IN (${NON_SEED_USERS});
+      DELETE FROM "Lead" WHERE "userId" IN (${NON_SEED_USERS});
+      DELETE FROM "Inquiry" WHERE "userId" IN (${NON_SEED_USERS});
+      DELETE FROM "Transaction" WHERE "sellerId" IN (${NON_SEED_USERS});
+      DELETE FROM "Payment" WHERE "userId" IN (${NON_SEED_USERS});
+      DELETE FROM "UsageRecord" WHERE "subscriptionId" IN (
+        SELECT s.id FROM "Subscription" s
+        JOIN "User" u ON s."userId" = u.id
+        WHERE u.phone NOT IN ${SEED_PHONES}
+      );
+      DELETE FROM "Subscription" WHERE "userId" IN (${NON_SEED_USERS});
+      DELETE FROM "Valuation" WHERE "propertyId" NOT IN ${SEED_PROP_IDS};
+      DELETE FROM "ListingMedia" WHERE "listingId" NOT IN ${SEED_LISTING_IDS};
+      DELETE FROM "Listing" WHERE id NOT IN ${SEED_LISTING_IDS};
+      DELETE FROM "PropertyMedia" WHERE "propertyId" NOT IN ${SEED_PROP_IDS};
+      DELETE FROM "Property" WHERE id NOT IN ${SEED_PROP_IDS};
+      DELETE FROM "Agent" WHERE "userId" IN (${NON_SEED_USERS});
+      -- RefreshToken and OAuthAccount cascade from User, but delete explicitly for safety
+      DELETE FROM "RefreshToken" WHERE "userId" IN (${NON_SEED_USERS});
+      DELETE FROM "OAuthAccount" WHERE "userId" IN (${NON_SEED_USERS});
+      DELETE FROM "SavedSearch" WHERE "userId" IN (${NON_SEED_USERS});
+      DELETE FROM "User" WHERE phone NOT IN ${SEED_PHONES};
+    `);
+
+    console.log('[E2E globalTeardown] Test data cleaned up successfully.\n');
+  } catch (err) {
+    console.error('[E2E globalTeardown] Cleanup error (non-fatal):', err);
+  } finally {
+    await pool.end();
+  }
+}