tests: internal-api-feature tests

Author: Kzoeps

e2e/.env.example

@@ -20,6 +20,12 @@ E2E_MAILPIT_URL=https://mailpit.example.com
 E2E_MAILPIT_USER=admin
 E2E_MAILPIT_PASS=
 
+# ── Internal API ──────────────────────────────────────────────────────────────
+# Required for internal-api.feature scenarios. Leave empty to skip them.
+# Must match EPDS_INTERNAL_SECRET on the pds-core service.
+# Copy from the root .env file — it mirrors the Railway environment.
+E2E_INTERNAL_SECRET=
+
 # ── Optional ──────────────────────────────────────────────────────────────────
 
 # Set to 'true' to run headless (no visible browser window). Default: false.

e2e/cucumber.mjs

@@ -3,6 +3,7 @@ export default {
     'features/passwordless-authentication.feature',
     'features/automatic-account-creation.feature',
     'features/consent-screen.feature',
+    'features/internal-api.feature',
   ],
   import: ['e2e/step-definitions/**/*.ts', 'e2e/support/**/*.ts'],
   format: ['pretty', 'html:reports/e2e.html'],

e2e/step-definitions/internal-api.steps.ts

@@ -0,0 +1,213 @@
+/**
+ * Step definitions for internal-api.feature.
+ *
+ * All scenarios are pure HTTP — no browser needed. Steps call the
+ * /_internal/* endpoints on pds-core directly using the shared secret.
+ *
+ * Note: Scenario "PAR login hint retrieval" is tagged @manual — it requires
+ * a real PKCE PAR request. Implement when PAR submission steps exist
+ * (needed for login-hint-resolution.feature too).
+ */
+
+import { Given, When, Then } from '@cucumber/cucumber'
+import type { EpdsWorld } from '../support/world.js'
+import { callInternalApi } from '../support/utils.js'
+
+// ---------------------------------------------------------------------------
+// Background
+// ---------------------------------------------------------------------------
+
+// The internalSecret guard also prevents account-creation Givens from running
+// in scenarios that require the secret — if the secret is absent the entire
+// scenario is marked pending before createAccountViaOAuth is called.
+Given('the internal API secret is configured', function (this: EpdsWorld) {
+  return this.skipIfNoInternalSecret()
+})
+
+// ---------------------------------------------------------------------------
+// Account-by-email
+// ---------------------------------------------------------------------------
+
+When(
+  'the internal API is queried for the account by email',
+  async function (this: EpdsWorld) {
+    if (!this.testEmail)
+      throw new Error('No testEmail — account creation step must run first')
+    const { status, body } = await callInternalApi(
+      `/_internal/account-by-email?email=${encodeURIComponent(this.testEmail)}`,
+      this.env.internalSecret,
+    )
+    this.lastHttpStatus = status
+    this.lastApiResponse = body
+  },
+)
+
+Then("the response contains the account's DID", function (this: EpdsWorld) {
+  if (!this.userDid)
+    throw new Error('No userDid — account creation step must run first')
+  if (!this.lastApiResponse)
+    throw new Error('No API response — query step must run first')
+  const did = this.lastApiResponse.did
+  if (did !== this.userDid) {
+    throw new Error(`Expected DID "${this.userDid}" but got "${String(did)}"`)
+  }
+})
+
+When(
+  'the internal API is queried for account-by-email with an unknown address',
+  async function (this: EpdsWorld) {
+    const unknown = `unknown-${Date.now()}@example.com`
+    const { status, body } = await callInternalApi(
+      `/_internal/account-by-email?email=${encodeURIComponent(unknown)}`,
+      this.env.internalSecret,
+    )
+    this.lastHttpStatus = status
+    this.lastApiResponse = body
+  },
+)
+
+Then('the response status is 200', function (this: EpdsWorld) {
+  if (this.lastHttpStatus !== 200) {
+    throw new Error(
+      `Expected status 200 but got ${String(this.lastHttpStatus)}`,
+    )
+  }
+})
+
+Then('the response body has a null DID', function (this: EpdsWorld) {
+  if (!this.lastApiResponse)
+    throw new Error('No API response — query step must run first')
+  if (this.lastApiResponse.did !== null) {
+    throw new Error(
+      `Expected did to be null but got "${String(this.lastApiResponse.did)}"`,
+    )
+  }
+})
+
+// ---------------------------------------------------------------------------
+// Account-by-handle
+// ---------------------------------------------------------------------------
+
+When(
+  'the internal API is queried for the account by handle',
+  async function (this: EpdsWorld) {
+    if (!this.userHandle)
+      throw new Error('No userHandle — account creation step must run first')
+    const { status, body } = await callInternalApi(
+      `/_internal/account-by-handle?handle=${encodeURIComponent(this.userHandle)}`,
+      this.env.internalSecret,
+    )
+    this.lastHttpStatus = status
+    this.lastApiResponse = body
+  },
+)
+
+Then("the response contains the account's email", function (this: EpdsWorld) {
+  if (!this.testEmail)
+    throw new Error('No testEmail — account creation step must run first')
+  if (!this.lastApiResponse)
+    throw new Error('No API response — query step must run first')
+  const email = this.lastApiResponse.email
+  if (email !== this.testEmail) {
+    throw new Error(
+      `Expected email "${this.testEmail}" but got "${String(email)}"`,
+    )
+  }
+})
+
+// ---------------------------------------------------------------------------
+// Check-handle
+// ---------------------------------------------------------------------------
+
+When(
+  'the internal API is queried to check if the handle exists',
+  async function (this: EpdsWorld) {
+    if (!this.userHandle)
+      throw new Error('No userHandle — account creation step must run first')
+    const { status, body } = await callInternalApi(
+      `/_internal/check-handle?handle=${encodeURIComponent(this.userHandle)}`,
+      this.env.internalSecret,
+    )
+    this.lastHttpStatus = status
+    this.lastApiResponse = body
+  },
+)
+
+Then('the response indicates the handle exists', function (this: EpdsWorld) {
+  if (!this.lastApiResponse)
+    throw new Error('No API response — query step must run first')
+  if (this.lastApiResponse.exists !== true) {
+    throw new Error(
+      `Expected exists to be true but got "${String(this.lastApiResponse.exists)}"`,
+    )
+  }
+})
+
+// ---------------------------------------------------------------------------
+// Auth errors
+// ---------------------------------------------------------------------------
+
+When(
+  'the check-handle endpoint is called with an incorrect secret',
+  async function (this: EpdsWorld) {
+    const { status, body } = await callInternalApi(
+      `/_internal/check-handle?handle=somehandle.pds.test`,
+      'definitely-wrong-secret',
+    )
+    this.lastHttpStatus = status
+    this.lastApiResponse = body
+  },
+)
+
+When(
+  'an internal endpoint is called without the secret header',
+  async function (this: EpdsWorld) {
+    const { status, body } = await callInternalApi(
+      `/_internal/account-by-email?email=test@example.com`,
+      null,
+    )
+    this.lastHttpStatus = status
+    this.lastApiResponse = body
+  },
+)
+
+When(
+  'an internal endpoint is called with an incorrect secret',
+  async function (this: EpdsWorld) {
+    const { status, body } = await callInternalApi(
+      `/_internal/account-by-email?email=test@example.com`,
+      'definitely-wrong-secret',
+    )
+    this.lastHttpStatus = status
+    this.lastApiResponse = body
+  },
+)
+
+Then('the response status is 401', function (this: EpdsWorld) {
+  if (this.lastHttpStatus !== 401) {
+    throw new Error(
+      `Expected status 401 but got ${String(this.lastHttpStatus)}`,
+    )
+  }
+})
+
+Then('the response body contains an auth error', function (this: EpdsWorld) {
+  if (!this.lastApiResponse)
+    throw new Error('No API response — query step must run first')
+  const error = this.lastApiResponse.error
+  if (typeof error !== 'string' || !error) {
+    throw new Error(
+      `Expected response body to contain an error string but got "${String(error)}"`,
+    )
+  }
+})
+
+// check-handle returns 403 (not 401) on bad secret — this is an intentional
+// server-side inconsistency documented in the route code
+Then('the response status is 403', function (this: EpdsWorld) {
+  if (this.lastHttpStatus !== 403) {
+    throw new Error(
+      `Expected status 403 but got ${String(this.lastHttpStatus)}`,
+    )
+  }
+})

e2e/support/env.ts

@@ -23,6 +23,7 @@ export const testEnv = {
     'https://mailpit-e2e-karma-test.up.railway.app',
   mailpitUser: process.env.E2E_MAILPIT_USER ?? 'karma',
   mailpitPass: process.env.E2E_MAILPIT_PASS ?? '',
+  internalSecret: process.env.E2E_INTERNAL_SECRET ?? '',
   otpLength: Math.min(12, Math.max(4, Number(process.env.OTP_LENGTH ?? '8'))),
   otpCharset: (process.env.OTP_CHARSET ?? 'numeric') as
     | 'numeric'

e2e/support/utils.ts

@@ -3,6 +3,7 @@
  */
 
 import type { EpdsWorld } from './world.js'
+import { testEnv } from './env.js'
 
 /**
  * Returns the Playwright Page from the world, throwing a clear error if
@@ -14,3 +15,32 @@ export function getPage(world: EpdsWorld) {
   if (!page) throw new Error('page is not initialised')
   return page
 }
+
+/**
+ * Makes an HTTP call to a /_internal/* endpoint on pds-core.
+ *
+ * - Pass `secret` as a string to include the x-internal-secret header.
+ * - Pass `null` to omit the header entirely (for testing missing-secret scenarios).
+ * - Safely handles non-JSON responses (e.g. 502 proxy errors) by falling back
+ *   to `{ raw: <text> }` rather than throwing a SyntaxError.
+ */
+export async function callInternalApi(
+  path: string,
+  secret: string | null,
+): Promise<{ status: number; body: Record<string, unknown> }> {
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/json',
+  }
+  if (secret !== null) {
+    headers['x-internal-secret'] = secret
+  }
+  const res = await fetch(`${testEnv.pdsUrl}${path}`, { headers })
+  let body: Record<string, unknown>
+  try {
+    body = (await res.json()) as Record<string, unknown>
+  } catch {
+    const raw = await res.text().catch(() => '<unreadable>')
+    body = { raw }
+  }
+  return { status: res.status, body }
+}

e2e/support/world.ts

@@ -25,6 +25,12 @@ export class EpdsWorld extends World {
   /** HTTP status code from the most recent direct API call — set by API steps. */
   lastHttpStatus?: number
 
+  /** Response body from the most recent internal API call — set by internal-api steps. */
+  lastApiResponse?: Record<string, unknown>
+
+  /** Most recent PAR request_uri — set by PAR submission steps. */
+  lastRequestUri?: string
+
   get env() {
     return testEnv
   }
@@ -39,6 +45,18 @@ export class EpdsWorld extends World {
       return 'pending'
     }
   }
+
+  /**
+   * Call in any step that requires the internal API secret. If
+   * E2E_INTERNAL_SECRET is not set, marks the step as pending and
+   * cucumber-js skips remaining steps in the scenario.
+   * When the secret is available, this is a no-op and the step executes normally.
+   */
+  skipIfNoInternalSecret(): 'pending' | undefined {
+    if (!testEnv.internalSecret) {
+      return 'pending'
+    }
+  }
 }
 
 setWorldConstructor(EpdsWorld)

features/internal-api.feature

@@ -6,31 +6,49 @@ Feature: Internal service-to-service API
 
   Background:
     Given the ePDS test environment is running
-    And the internal API is accessible (e.g. via Docker network)
+    And the internal API secret is configured
 
-  Scenario: Account lookup by email returns DID
-    Given "alice@example.com" has a PDS account with DID "did:plc:alice"
-    When GET /_internal/account-by-email?email=alice@example.com is called with valid x-internal-secret
-    Then the response is 200 with { "did": "did:plc:alice" }
+  Scenario: Account lookup by email returns the account's DID
+    Given a new user has registered via the demo client
+    When the internal API is queried for the account by email
+    Then the response contains the account's DID
 
-  Scenario: Account lookup by email returns null for unknown email
-    When GET /_internal/account-by-email?email=unknown@example.com is called with valid x-internal-secret
-    Then the response is 200 with { "did": null }
+  Scenario: Account lookup by email returns null for an unknown email
+    When the internal API is queried for account-by-email with an unknown address
+    Then the response status is 200
+    And the response body has a null DID
 
-  Scenario: Handle resolution returns email
-    Given a PDS account with handle "alice.pds.test" and email "alice@example.com"
-    When GET /_internal/account-by-handle?handle=alice.pds.test is called with valid x-internal-secret
-    Then the response is 200 with { "email": "alice@example.com" }
+  Scenario: Handle resolution returns the account's email
+    Given a new user has registered via the demo client
+    When the internal API is queried for the account by handle
+    Then the response contains the account's email
 
+  Scenario: Check-handle returns true for an existing handle
+    Given a new user has registered via the demo client
+    When the internal API is queried to check if the handle exists
+    Then the response indicates the handle exists
+
+  # @manual: requires a real PKCE PAR request — implement when PAR submission
+  # steps exist (also needed for login-hint-resolution.feature)
+  @manual
   Scenario: PAR login hint retrieval
-    Given an OAuth client submitted a PAR request with login_hint "alice.pds.test"
-    When GET /_internal/par-login-hint?request_uri=<the-request-uri> is called with valid x-internal-secret
-    Then the response is 200 with { "login_hint": "alice.pds.test" }
+    Given a new user has registered via the demo client
+    When the demo client submits a PAR request with the user's handle as login_hint
+    And the internal API is queried for the PAR login hint
+    Then the response contains the user's handle as the login hint
 
   Scenario: Missing internal secret returns 401
-    When any /_internal/* endpoint is called without the x-internal-secret header
+    When an internal endpoint is called without the secret header
     Then the response status is 401
+    And the response body contains an auth error
 
   Scenario: Wrong internal secret returns 401
-    When any /_internal/* endpoint is called with an incorrect x-internal-secret
+    When an internal endpoint is called with an incorrect secret
     Then the response status is 401
+    And the response body contains an auth error
+
+  # check-handle returns 403 (not 401) on bad secret — server-side inconsistency
+  Scenario: Wrong internal secret on check-handle returns 403
+    When the check-handle endpoint is called with an incorrect secret
+    Then the response status is 403
+    And the response body contains an auth error