goodgo-platform/e2e/api/auth-kyc-upload.spec.ts

import { test, expect } from '../fixtures';

/**
 * KYC presigned-upload flow (TEC-2750).
 *
 * Covers:
 * - POST /auth/kyc/upload-urls — presigned URL generation (happy + validation errors)
 * - POST /auth/kyc/submit — accepts URL body; rejects invalid/untrusted URLs
 */

test.describe('POST /auth/kyc/upload-urls', () => {
  test('rejects unauthenticated requests', async ({ request }) => {
    const res = await request.post('auth/kyc/upload-urls', {
      data: { files: [{ field: 'frontImage', mimeType: 'image/jpeg', fileName: 'front.jpg' }] },
    });
    expect(res.status()).toBe(401);
  });

  test('rejects empty files array', async ({ authedRequest }) => {
    const res = await authedRequest.post('auth/kyc/upload-urls', { data: { files: [] } });
    expect(res.ok()).toBeFalsy();
    expect(res.status()).toBe(400);
  });

  test('rejects more than 3 files', async ({ authedRequest }) => {
    const res = await authedRequest.post('auth/kyc/upload-urls', {
      data: {
        files: [
          { field: 'frontImage', mimeType: 'image/jpeg', fileName: 'a.jpg' },
          { field: 'backImage', mimeType: 'image/jpeg', fileName: 'b.jpg' },
          { field: 'selfieImage', mimeType: 'image/jpeg', fileName: 'c.jpg' },
          { field: 'selfieImage', mimeType: 'image/jpeg', fileName: 'd.jpg' },
        ],
      },
    });
    expect(res.ok()).toBeFalsy();
    expect(res.status()).toBe(400);
  });

  test('rejects unsupported field name', async ({ authedRequest }) => {
    const res = await authedRequest.post('auth/kyc/upload-urls', {
      data: {
        files: [{ field: 'not-a-field', mimeType: 'image/jpeg', fileName: 'front.jpg' }],
      },
    });
    expect(res.ok()).toBeFalsy();
    expect(res.status()).toBe(400);
  });
});

test.describe('POST /auth/kyc/submit', () => {
  test('rejects unauthenticated submit', async ({ request }) => {
    const res = await request.post('auth/kyc/submit', {
      data: {
        documentType: 'CCCD',
        documentNumber: '001234567890',
        frontImageUrl: 'https://cdn.goodgo.vn/kyc/front.jpg',
      },
    });
    expect(res.status()).toBe(401);
  });

  test('rejects submit missing required fields', async ({ authedRequest }) => {
    const res = await authedRequest.post('auth/kyc/submit', {
      data: { documentType: 'CCCD' },
    });
    expect(res.ok()).toBeFalsy();
    expect(res.status()).toBe(400);
  });

  test('rejects submit with malformed front image URL', async ({ authedRequest }) => {
    const res = await authedRequest.post('auth/kyc/submit', {
      data: {
        documentType: 'CCCD',
        documentNumber: '001234567890',
        frontImageUrl: 'not-a-url',
      },
    });
    expect(res.ok()).toBeFalsy();
    expect(res.status()).toBe(400);
  });

  test('rejects submit with URL from untrusted host', async ({ authedRequest }) => {
    const res = await authedRequest.post('auth/kyc/submit', {
      data: {
        documentType: 'CCCD',
        documentNumber: '001234567890',
        frontImageUrl: 'https://evil.example.com/kyc/front.jpg',
      },
    });
    expect(res.ok()).toBeFalsy();
    // URL host validation returns 400; never 5xx / 201.
    expect(res.status()).toBe(400);
  });
});