| Accesses with account streams POST /accesses When using a personal access to create an access for visible account streams with a read-level permission |
UE9G | ✅ | should return 201 |
BUYP | ✅ | should create access in the database |
S3IQ | ✅ | should enable user to read visible stream event with this access |
| Accesses with account streams POST /accesses When using a personal access to create an access for visible account streams with a read-level permission for the “account” stream |
XEAK | ✅ | should return 201 |
65I4 | ✅ | should create access in the database |
L99L | ✅ | should allow to access visible events in storageUsed |
| Accesses with account streams POST /accesses When using a personal access to create an access for visible account streams with a read-level permission for the “storageUsed” stream |
EPEP | ✅ | should return 201 |
U3UM | ✅ | should create access in the database |
A4UP | ✅ | should allow to access visible events in storageUsed |
| Accesses with account streams POST /accesses When using a personal access to create an access for visible account streams with a create-only-level permission |
IWMQ | ✅ | should return 201 |
APYN | ✅ | should create access in the database |
| Accesses with account streams POST /accesses When using a personal access to create an access for visible account streams with a contribute-level permission |
R0M1 | ✅ | should return 201 |
Q8R8 | ✅ | should create access in the database |
TI1X | ✅ | should allow to create visible stream events |
| Accesses with account streams POST /accesses When using a personal access to create an access for visible account streams with a manage-level permission |
93HO | ✅ | should return 400 |
YPHX | ✅ | should return the correct error |
| Accesses with account streams POST /accesses When using a personal access to create an access for not visible account streams |
ATGU | ✅ | should return 400 |
Q2KZ | ✅ | should return the correct error |
| Accesses with account streams POST /accesses When using a personal access to create an access for unexisting system streams |
KKKS | ✅ | should return 403 forbidden |
| Accesses with account streams DELETE /accesses When using a personal access to delete an account stream access |
Z40J | ✅ | should return 200 |
MP9T | ✅ | should delete the access in the database |
| Accesses access deletions when given a few existing accesses accesses.get |
H7ZS | ✅ | access should contain tokens and apiEndpoints |
P12L | ✅ | should contain deletions |
BQ7M | ✅ | contains active accesses |
NVCQ | ✅ | contains deleted accesses as well |
6ZQL | ✅ | deleted access are in UTC (seconds) format |
| Accesses access deletions when given a few existing accesses accesses.create for a valid access |
N3Q1 | ✅ | should contain an access |
8UOW | ✅ | access should contain token and apiEndpoint |
J77Z | ✅ | should contain the set values, but no “deleted” field in the API response |
A4JP | ✅ | should contain the field “deleted:null” in the database |
| Accesses access deletions when given a few existing accesses accesses.create for a deleted access |
1DJ6 | ✅ | should return an error |
7ZPK | ✅ | error should say that the deleted field is forbidden upon creation |
| Accesses access deletions when given a few existing accesses accesses.update |
JNJK | ✅ | should return an error |
OS36 | ✅ | error should say that the deleted field is forbidden upon update |
| Accesses Delete app access when deleting an app access that created shared accesses |
WE2O | ✅ | should return the accessDeletion and relatedDeletions |
IVWP | ✅ | should delete it and the accesses it created, not touching the expired ones |
| Accesses access expiry when given a few existing accesses accesses.get vanilla version |
489J | ✅ | succeeds |
7NPE | ✅ | contains only active accesses |
| Accesses access expiry when given a few existing accesses accesses.get when given the includeExpired=true parameter |
PIGE | ✅ | succeeds |
DZHL | ✅ | includes expired accesses |
| Accesses access expiry when given a few existing accesses accesses.create when called with expireAfter>0 |
3ONA | ✅ | creates an access with set expiry timestamp |
| Accesses access expiry when given a few existing accesses accesses.create when called with expireAfter=0 |
8B65 | ✅ | creates an expired access |
| Accesses access expiry when given a few existing accesses accesses.create when called with expireAfter<0 < b> |
JHWH | ✅ | fails |
| Accesses access expiry when given a few existing accesses accesses.create Store accesses |
JZWH | ✅ | create an access on :dummy: store |
JUWH | ✅ | create an access :dummy:marcella on :dummy: store |
| Accesses access expiry when given a few existing accesses accesses.checkApp when the matching access is not expired |
B66B | ✅ | returns the matching access |
| Accesses access expiry when given a few existing accesses accesses.checkApp when the matching access is expired |
DLHJ | ✅ | returns no match |
| Accesses access expiry when given a few existing accesses other API accesses using an expired access |
AJG5 | ✅ | fails |
KGT4 | ✅ | returns a proper error message |
| Accesses access expiry when given a few existing accesses other API accesses using a valid access |
CBRF | ✅ | succeeds |
| Accesses access client data when given a few existing accesses accesses.get |
KML2 | ✅ | succeeds |
NY85 | ✅ | contains existing accesses with clientData |
| Accesses access client data when given a few existing accesses accesses.create when called with clientData={} |
OMUO | ✅ | creates an access with empty clientData |
| Accesses access client data when given a few existing accesses accesses.create when called with clientData=null |
E5C1 | ✅ | throws a schema error |
| Accesses access client data when given a few existing accesses accesses.create when called with complex clientData |
JYD4 | ✅ | creates an access with complex clientData |
| Accesses access client data when given a few existing accesses accesses.checkApp when the provided clientData matches the existing clientData |
U1AM | ✅ | returns the matching access |
| Accesses access client data when given a few existing accesses accesses.checkApp when the provided clientData does not match the existing clientData |
2EER | ✅ | returns no match |
| Accesses access client data when given a few existing accesses accesses.checkApp when no clientData is provided but existing access has one |
DHZQ | ✅ | returns no match |
| Accesses access-info |
PH0K | ✅ | should return the username |
| Accesses access-info [APRA] When password rules are enabled |
2X82 | ✅ | must return password information for personal accesses |
Q7J6 | ✅ | must not return password information for other accesses |
| [ACCO] Account with system streams GET /account and when user has multiple events per stream and additional streams events |
XRKX | ✅ | should return 200 |
JUHR | ✅ | should return account information in the structure that is defined in system streams and only active values |
R5S0 | ✅ | should return only visible default stream events |
| [ACCO] Account with system streams POST /change-password and when valid data is provided |
X9VQ | ✅ | should return 200 |
ACNE | ✅ | should find password in password history |
| [ACCO] Account with system streams PUT /account when updating the username |
P69J | ✅ | should return 400 |
DBM6 | ✅ | should return the correct error |
| [ACCO] Account with system streams PUT /account when updating non editable fields |
90N3 | ✅ | should return 400 |
QHZ4 | ✅ | should return the correct error |
| [ACCO] Account with system streams PUT /account when updating a unique field that is already taken and the field is not unique in mongodb |
K3X9 | ✅ | should return a 409 error |
8TRP | ✅ | should return the correct error |
| [ACCO] Account with system streams PUT /account when updating email and language and non-active fields exists |
JJ81 | ✅ | should return 200 |
K9IC | ✅ | should returned updated account data |
JQHX | ✅ | should update only active events in the database |
Y6MC | ✅ | Should send a request to service-register to update its user main information and unique fields |
| Audit logs events GET /events |
0BK7 | ✅ | must not return null values or trashed=false |
VBV0 | ✅ | must not return “auth” in “content:query” |
R8MS | ✅ | must escape special characters |
| Audit logs events GET /audit/logs |
RV4W | ✅ | must return a valid id field |
| [FG5R] Events of system streams GET /events When using a personal access |
KS6K | ✅ | should return visible system events only |
| [FG5R] Events of system streams GET /events When using a shared access with a read-level permission on the .account stream |
DRFH | ✅ | should return visible system events only |
| [FG5R] Events of system streams GET /events When using a shared access with a read-level permission on all streams (star) and a visible system stream |
GF3A | ✅ | should return only the account event for which a permission was explicitely provided |
| [FG5R] Events of system streams GET /events When using a shared access with a read-level permission on all streams (star) |
RM74 | ✅ | should not return any system events |
| [FG5R] Events of system streams GET /events/ When using a personal access to retrieve a visible system event |
9IEX | ✅ | should return 200 |
IYE6 | ✅ | should return the event |
| [FG5R] Events of system streams GET /events/ When using a personal access to retrieve a non visible system event |
Y2OA | ✅ | should return 403 |
DHZE | ✅ | should return the right error message |
| [FG5R] Events of system streams GET /events/ When using a shared access with a read-level permission on all streams (star) and a visible system stream |
YPZX | ✅ | should return 200 |
1NRM | ✅ | should return the event |
| [FG5R] Events of system streams POST /events When using a personal access to create an editable system event which is non indexed and non unique |
F308 | ✅ | should return 201 |
9C2D | ✅ | should return the created event |
A9DC | ✅ | should add the ‘active’ streamId to the new event which should be removed from other events of the same stream |
| [FG5R] Events of system streams POST /events When using a personal access to create an editable system event which is indexed when the new value is valid |
8C80 | ✅ | should return 201 |
67F7 | ✅ | should return the created event |
467D | ✅ | should add the ‘active’ streamId to the new event which should be removed from other events of the same stream |
199D | ✅ | should notify register with the new data |
| [FG5R] Events of system streams POST /events When using a personal access to create an editable system event which is indexed when the new value is invalid |
PQHR | ✅ | should return 400 |
| [FG5R] Events of system streams POST /events When using a personal access to create an editable system event which is indexed and unique [WCIU] whose content is unique |
SQZ2 | ✅ | should return 201 |
YS79 | ✅ | should return the created event |
DA23 | ✅ | should add the ‘active’ streamId to the new event which should be removed from other events of the same stream |
D316 | ✅ | should notify register with the new data |
| [FG5R] Events of system streams POST /events When using a personal access to create an editable system event which is indexed and unique whose content is already taken in register |
89BC | ✅ | should return 409 |
10BC | ✅ | should return the correct error |
| [FG5R] Events of system streams POST /events When using a personal access to create an editable system event which is indexed and unique [6B8D] When creating an event that is already taken only on core |
2021 | ✅ | should return a 409 error |
121E | ✅ | should return the correct error |
| [FG5R] Events of system streams POST /events When using a personal access to create a non editable system event |
6CE0 | ✅ | should return a 400 error |
90E6 | ✅ | should return the correct error |
| [FG5R] Events of system streams POST /events when using a shared access with a contribute-level permission on a system stream |
X49R | ✅ | should return 201 |
764A | ✅ | should return the created event |
765A | ✅ | should notify register with the new data |
| [FG5R] Events of system streams POST /events when using a shared access with a manage-level permission on all streams (star) |
YX07 | ✅ | should return 403 |
YYU1 | ✅ | should return correct error id |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is non indexed and non unique |
2FA2 | ✅ | should return 200 |
763A | ✅ | should return the updated event |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is non indexed and non unique by adding the “active” streamId |
562A | ✅ | should return 200 |
5622 | ✅ | should return the updated event |
CF70 | ✅ | should remove the “active” streamId for events of the same stream |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is non indexed and non unique by changing its steamIds when editing with 2 streamIds at the time |
8BFK | ✅ | should return 400 |
E3KE | ✅ | should return the correct error |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is non indexed and non unique by changing its steamIds when substituting a system stream with another one |
9004 | ✅ | should return 400 |
E3AE | ✅ | should return the correct error |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is indexed as register is working when the new value is valid |
0RUK | ✅ | should return 200 |
E43M | ✅ | should notify register with the updated data |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is indexed as register is working when the new value is valid by adding the “active” streamId |
0D18 | ✅ | should notify register with the updated data |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is indexed as register is working when the new value is invalid |
RDZF | ✅ | should return 400 |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is indexed as register is out |
AA92 | ✅ | should return 500 |
645C | ✅ | should notify register with the updated data |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is unique by updating a unique field that is valid |
4BB1 | ✅ | should return 200 |
GWHU | ✅ | should send a request to service-register to update the unique field |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is unique by updating a unique field that is valid by adding the “active” streamId |
HJWE | ✅ | should return 200 |
6AAT | ✅ | should notify register with the updated data |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is unique by updating a unique field that is already taken with a field that is not unique in register |
F8A8 | ✅ | should return 409 |
5A04 | ✅ | should notify register with the updated data |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update an editable system event which is unique by updating a unique field that is already taken with a field that is not unique in mongodb |
5782 | ✅ | should return 409 |
B285 | ✅ | should return the correct error |
| [FG5R] Events of system streams PUT /events/ when using a personal access to update a non editable system event |
034D | ✅ | should return 400 |
BB5F | ✅ | should return the correct error |
| [FG5R] Events of system streams PUT /events/ when using a shared access with a contribute-level access on a system stream to update an editable system event |
W8PQ | ✅ | should return 200 |
TFOI | ✅ | should return the updated event |
| [FG5R] Events of system streams PUT /events/ when using a shared access with a manage-level permission on all streams (star) to update an editable system event |
H1XL | ✅ | should return 403 |
7QA3 | ✅ | should return the correct error |
| [FG5R] Events of system streams DELETE /events/ When using a personal access to delete an editable streams event that has no ‘active’ streamId which is unique |
43B1 | ✅ | should return 200 |
3E12 | ✅ | should return the trashed event |
F328 | ✅ | should notify register with the deleted data |
| [FG5R] Events of system streams DELETE /events/ When using a personal access to delete an editable streams event that has no ‘active’ streamId which is indexed |
1B70 | ✅ | should return 200 |
CBB9 | ✅ | should return the trashed event |
| [FG5R] Events of system streams DELETE /events/ When using a personal access to delete an editable streams event that has the ‘active’ streamId |
10EC | ✅ | should return 400 |
D4CA | ✅ | should return the correct error |
| [FG5R] Events of system streams DELETE /events/ When using a personal access to delete a non editable system event |
8EDB | ✅ | should return a 400 |
A727 | ✅ | should return the correct error |
| [FG5R] Events of system streams DELETE /events/ when using a shared access with a contribute-level access on a system stream |
I1I1 | ✅ | should return 200 |
UFLT | ✅ | should return the updated event |
| [FG5R] Events of system streams DELETE /events/ when using a shared access with a manage-level permission on all streams (star) |
AT1E | ✅ | should return 403 |
FV8W | ✅ | should return the correct error |
| Backward-compatibility Tags as prefixed streams when the stream associated to the tag exists when creating an event |
V39L | ✅ | must create the event with the streamIds translated from tags |
| Backward-compatibility Tags as prefixed streams when the stream associated to the tag does not exist when creating an event |
OMGX | ✅ | must create the streams with the streamId translated from tags and adapt the event as accordingly |
| Backward-compatibility Tags as prefixed streams when the stream associated to the tag does not exist when updating an event |
NWQ6 | ✅ | must create the streams with the streamId translated from tags and adapt the event as accordingly |
| Backward-compatibility Tags as prefixed streams when fetching events |
R3NU | ✅ | should return the event with its tags |
| Backward-compatibility System stream id prefx Account streams reserved words |
4L48 | ✅ | Can create an “account” stream, and add event to it |
| Backward-compatibility System stream id prefx events |
Q40I | ✅ | must return old prefixes in events.get |
4YCD | ✅ | must accept old prefixes in events.get |
CF3N | ✅ | must return old prefixes in events.getOne (including history) |
U28C | ✅ | must accept old prefixes in events.create |
YIWX | ✅ | must return old prefixes in events.update |
75DN | ✅ | must return old prefixes in events.delete |
| Backward-compatibility System stream id prefx streams |
WY07 | ✅ | must return old prefixes in streams.get |
YJS6 | ✅ | must accept old prefixes in streams.get |
CCE8 | ✅ | must handle old prefixes in streams.create |
4DP2 | ✅ | must accept old prefixes in streams.update |
LQ5X | ✅ | must return old prefixes in streams.delete |
| Backward-compatibility System stream id prefx accesses |
UDJF | ✅ | must return old prefixes in accesses.get |
DWWD | ✅ | must accept old prefixes in accesses.create |
| Backward-compatibility System stream id prefx when disabling backward compatibility using the header param to use new prefixes events |
CZN1 | ✅ | must return new prefixes in events.get |
SHW1 | ✅ | must accept new prefixes in events.get |
6N5B | ✅ | must return new prefixes in events.getOne (including history) |
65U8 | ✅ | must accept new prefixes in events.create |
CSKF | ✅ | must return new prefixes in events.update |
4IEX | ✅ | must return new prefixes in events.delete |
| Backward-compatibility System stream id prefx when disabling backward compatibility using the header param to use new prefixes streams |
O7RD | ✅ | must return new prefixes in streams.get |
VMH7 | ✅ | must accept new prefixes in streams.get |
6EFG | ✅ | must handle new prefixes in streams.create |
LVOF | ✅ | must accept new prefixes in streams.update |
C73R | ✅ | must return new prefixes in streams.delete |
| Backward-compatibility System stream id prefx when disabling backward compatibility using the header param to use new prefixes accesses |
O9OH | ✅ | must return new prefixes in accesses.get |
GFRT | ✅ | must accept new prefixes in accesses.create |
| System streams GET /streams When using a personal access |
9CGO | ✅ | Should return all streams - including system ones |
| System streams POST /streams When using a personal access to create a child to a system stream |
GRI4 | ✅ | should return status 400 |
XP07 | ✅ | should return the correct error |
| System streams PUT /streams/ When using a personal access to update a system stream |
SLIR | ✅ | should return status 400 |
V6HC | ✅ | should return the correct error |
| System streams DELETE /streams/ When using a personal access to delete a system stream |
1R35 | ✅ | should return status 400 |
4939 | ✅ | should return the correct error |
| [ACCP] accesses (app) GET / |
YEHW | ✅ | must return shared accesses whose permissions are a subset of the current one’s |
GLHP | ✅ | must be forbidden to requests with a shared access token |
| [ACCP] accesses (app) POST / |
QVHS | ✅ | must create a new shared access with the sent data and return it |
6GR1 | ✅ | must forbid trying to create a non-shared access |
A4MC | ✅ | must forbid trying to create an access with greater permissions |
QN6D | ✅ | must return a correct error if the sent data is badly formatted |
4HAE | ✅ | must allow creation of shared accesses with an access that has superior permission on root stream (*) |
| [ACCP] accesses (app) PUT / |
11UZ | ✅ | must return a 410 (Gone) |
| [ACCP] accesses (app) DELETE / |
5BOO | ✅ | must delete the shared access |
ZTSX | ✅ | forbid deletion of already deleted for AppTokens |
VGQS | ✅ | must forbid trying to delete a non-shared access |
ZTSY | ✅ | must forbid trying to delete an access that was not created by itself |
J32P | ✅ | must return a correct error if the access does not exist |
| Accesses (personal) GET / |
K5BF | ✅ | must return all accesses (including personal ones) |
| Accesses (personal) POST / |
BU9U | ✅ | must create a new shared access with the sent data, returning it |
FPUE | ✅ | must create a new app access with the sent data, creating/restoring requested streams |
865I | ✅ | must accept two app accesses with the same name (app ids) but different device names |
4Y3Y | ✅ | must ignore erroneous requests to create new streams |
WSG8 | ✅ | must fail if a stream similar to that requested for creation already exists |
GVC7 | ✅ | must refuse to create new personal accesses (obtained via login only) |
YRNE | ✅ | must slugify the new access’ predefined token |
00Y3 | ✅ | must return an error if a permission’s streamId has an invalid format |
V3AV | ✅ | must return an error if the sent data is badly formatted |
HETK | ✅ | must refuse empty defaultName values for streams |
YG81 | ✅ | must return an error if an access with the same token already exists |
GZTH | ✅ | must return an error if an access with the same name already exists |
4HO6 | ✅ | must return an error if an “app” access with the same name (app id) and device name already exists |
PO0R | ✅ | must return an error if the device name is set for a non-app access |
RWGG | ✅ | must return an error if the given predefined access’s token is a reserved word |
08SK | ✅ | must return an error if the permission streamId has invalid characters |
| Accesses (personal) PUT / |
U04A | ✅ | must return a 410 (Gone) |
| Accesses (personal) DELETE / |
S8EK | ✅ | must delete the shared access |
5GBI | ✅ | must delete the personal access |
NN11 | ✅ | must return an error if the access does not exist |
| Accesses (personal) POST /check-app |
VCH9 | ✅ | must return the adjusted permissions structure if no access exists |
R8H5 | ✅ | must accept requested permissions with store “:dummy:” and adapt to correct name |
R8H4 | ✅ | must accept requested permissions with “*” for “all streams” |
9QNK | ✅ | must return the existing app access if matching |
IF33 | ✅ | must also return the token of the existing mismatching access if any |
G5T2 | ✅ | must propose fixes to duplicate ids of streams and signal an error when appropriate |
MTY1 | ✅ | must return an error if the sent data is badly formatted |
U5KD | ✅ | must be forbidden to non-personal accesses |
| [ACCO] account GET / |
PHSB | ✅ | must return the user’s account details |
K5EI | ✅ | must be forbidden to non-personal accesses |
| [ACCO] account PUT / |
0PPV | ✅ | must modify account details with the sent data, notifying register if e-mail changed |
AT0V | ✅ | must return a correct error if the sent data is badly formatted |
NZE2 | ✅ | must be forbidden to non-personal accesses |
| [ACCO] account storage space monitoring |
NFJQ | ✅ | must properly compute used storage size for a given user when called |
Y445 | ✅ | must properly compute storage size for all users in nightly script |
0QVH | ✅ | must be approximately updated (diff) when adding an attached file |
93AP | ✅ | must be approximately updated (diff) when deleting an attached file |
5WO0 | ✅ | must be approximately updated (diff) when deleting an event |
| [ACCO] account /change-password |
6041 | ✅ | must change the password to the given value |
STWH | ✅ | must return an error if the given old password does not match |
8I1N | ✅ | must return a correct error if the sent data is badly formatted |
J5VH | ✅ | must be forbidden to non-personal accesses |
| [ACCO] account /change-password [APWD] When password rules are enabled Complexity rules: |
1YPT | ✅ | must return an error if the new password is too short |
352R | ✅ | must accept the new password if it is long enough |
663A | ✅ | must return an error if the new password does not contains characters from enough categories |
OY2G | ✅ | must accept the new password if it contains characters from enough categories |
| [ACCO] account /change-password [APWD] When password rules are enabled Reuse rules: |
AFX4 | ✅ | must return an error if the new password is found in the N last passwords used |
6XXP | ✅ | must accept the new password if different from the N last passwords used |
| [ACCO] account /change-password [APWD] When password rules are enabled Age rules: |
J4O6 | ✅ | must return an error if the current password’s age is below the set minimum |
RGGN | ✅ | must accept the new password if the current one’s age is greater than the set minimum |
| [ACCO] account /request-password-reset and /reset-password |
G1VN | ✅ | “request” must trigger an email with a reset token, store that token, then “reset” must reset the password to the given value |
HV0V | ✅ | must not trigger a reset email if mailing is deactivated |
VZ1W | ✅ | must not trigger a reset email if reset mail is deactivated |
3P2N | ✅ | must not be possible to use a reset token to illegally change password of another user |
J6GB | ✅ | “request” must return an error if the requesting app is not trusted |
5K14 | ✅ | “request” must return an error if sent data is badly formatted |
PKBP | ✅ | “reset” must return an error if the reset token is invalid/expired |
ON9V | ✅ | “reset” must return an error if the requesting app is not trusted |
T5L9 | ✅ | “reset” must return an error if sent data is badly formatted |
VGRT | ✅ | “reset” must return an error if the reset token was already used |
| [ACCO] account /request-password-reset and /reset-password [RPWD] When password rules are enabled |
HZCU | ✅ | must fail if the new password does not comply (smoke test; see “/change-password” tests) |
| [PGTD] DELETE /users/:username [USAD] depending on "user-account:delete" config parameter |
8UT7 | ✅ | Should accept when “personalToken” is active and a valid personal token is provided |
IJ5F | ✅ | Should reject when “personalToken” is active and an invalid token is provided |
NZ6G | ✅ | Should reject when only “personalToken” is active and a valid admin token is provided |
UK8H | ✅ | Should accept when “personalToken” and “adminToken” are active and a valid admin token is provided |
| [PGTD] DELETE /users/:username [DOA0] dnsLess:isActive = true, openSource:isActive = false when given invalid authorization key |
JNVS | ✅ | should respond with 404 |
| [PGTD] DELETE /users/:username [DOA0] dnsLess:isActive = true, openSource:isActive = false when given not existing username |
C58U | ❌ | should respond with 404 |
| [PGTD] DELETE /users/:username [DOA1] dnsLess:isActive = false, openSource:isActive = false [D7H1] when given existing username |
T21Z | ✅ | should respond with 200 |
K4J1 | ✅ | should delete user entries from impacted collections |
TIKT | ✅ | should delete user event files |
7WMG | ✅ | should delete HF data |
UWYY | ✅ | should delete user audit events |
U004 | ✅ | should delete user from the cache |
WMMV | ✅ | should not delete entries of other users |
9ZTM | ✅ | should not delete other user event files |
N8TR | ✅ | should delete on register |
| [PGTD] DELETE /users/:username [DOA1] dnsLess:isActive = false, openSource:isActive = false when given invalid authorization key |
T3UK | ✅ | should respond with 404 |
| [PGTD] DELETE /users/:username [DOA1] dnsLess:isActive = false, openSource:isActive = false when given not existing username |
O73J | ✅ | should respond with 404 |
| [PGTD] DELETE /users/:username [DOA2] dnsLess:isActive = true, openSource:isActive = true [D7H2] when given existing username |
TPP2 | ✅ | should respond with 200 |
581Z | ✅ | should delete user entries from impacted collections |
Z2FH | ✅ | should delete user event files |
YD0B | ✅ | should delete HF data |
L2Q1 | ✅ | should delete user audit events |
CQ50 | ✅ | should delete user from the cache |
4IH8 | ✅ | should not delete entries of other users |
33T6 | ✅ | should not delete other user event files |
7D0J | ✅ | should delete on register |
| [PGTD] DELETE /users/:username [DOA2] dnsLess:isActive = true, openSource:isActive = true when given invalid authorization key |
SQ8P | ✅ | should respond with 404 |
| [PGTD] DELETE /users/:username [DOA2] dnsLess:isActive = true, openSource:isActive = true when given not existing username |
1F2Y | ✅ | should respond with 404 |
| [PGTD] DELETE /users/:username User - Create - Delete - Create - Login |
JBZM | ✅ | should be able to recreate this user, and login |
| Events.streamIds events GET /events |
WJ0S | ✅ | must return streamIds & streamId containing the first one (if many) |
| Events.streamIds events GET /events/:id |
IJQZ | ✅ | must return streamIds & streamId containing the first one (if many) |
| Events.streamIds events POST /events |
X4PX | ✅ | must forbid to provide both streamId and streamIds |
| Events.streamIds events POST /events when using "streamId" |
1YUV | ✅ | must return streamIds & streamId |
| Events.streamIds events POST /events when using "streamIds" |
VXMG | ✅ | must return streamIds & streamId containing the first one |
2QZF | ✅ | must clean duplicate streamIds |
NY0E | ✅ | must forbid providing an unknown streamId |
6Z2D | ✅ | must forbid creating an event in multiple streams, if a contribute permission is missing on at least one stream |
| Events.streamIds events PUT /events/:id |
BBBX | ✅ | must return streamIds & streamId containing the first one (if many) |
42KZ | ✅ | must allow modification, if you have a contribute permission on at least 1 streamId |
Q5P7 | ✅ | must forbid to provide both streamId and streamIds |
| Events.streamIds events PUT /events/:id when modifying streamIds |
TQHG | ✅ | must forbid providing an unknown streamId |
6Q8B | ✅ | must allow streamId addition, if you have a contribute permission for it |
MFF7 | ✅ | must forbid streamId addition, if you don’t have a contribute permission for it |
83N6 | ✅ | must allow streamId deletion, if you have a contribute permission for it |
JLS5 | ✅ | must forbid streamId deletion, if you have read but no contribute permission for it |
| Events.streamIds events POST /event/start |
FOM3 | ✅ | must return a 410 (Gone) |
| Events.streamIds events POST /event/stop |
BR33 | ✅ | must return a 410 (Gone) |
| Events.streamIds events DELETE /events/:id |
BPL0 | ✅ | must return streamIds & streamId containing the first one (if many) |
T5ZY | ✅ | must allow trashing, if you have a contribute permission on at least 1 streamId |
2G32 | ✅ | must allow deletion, if you have a contribute permission on at least 1 streamId |
6W5Y | ✅ | must forbid trashing, if you don’t have a contribute permission on at least 1 streamId |
| Events.streamIds events GET /events/:id/:fileId -- attachments |
JNS8 | ✅ | should retrieve the attachment with the app token |
6YFZ | ✅ | should retrieve the attachment with the app token correct headers |
NH1O | ✅ | should retrieve the attachment with the shared access readToken |
9KAF | ✅ | should retrieve the attachment with the shared access token |
9MEL | ✅ | should retrieve the attachment with the shared access readToken |
| Events.streamIds streams POST /streams |
EGW2 | ✅ | must forbid setting the “singleActivity” field |
| Events.streamIds streams PUT /streams/:id |
EY79 | ✅ | must forbid setting the “singleActivity” field |
| Events.streamIds streams DELETE /streams When the stream's event is part of at least another stream outside of its descendants when mergeEventsWithParent=false |
TWDG | ✅ | must not delete events, but remove the deleted streamId from their streamIds |
| Events.streamIds streams DELETE /streams When the event is part of the stream and its children when mergeEventsWithParent=false |
6SBU | ✅ | must delete the events |
| Events.streamIds streams DELETE /streams When the event is part of the stream and its children when mergeEventsWithParent=true |
2FRR | ✅ | must not delete events, but remove all streamIds and add its parentId |
| [EGSQ] events.get streams query Internal query helpers when transforming streams parameters |
D2B5 | ✅ | must convert strings array to expanded array inside [{any: []}] |
JZWE | ✅ | must convert single string “B” to [{any: [“B”]}] |
8VV4 | ✅ | must convert streams query with only “any” property to expanded streams query inside array [{any: []}]) |
HFT2 | ✅ | must convert streams query property “all” to "and: [{any…}, {any…}]) with each containing expanded streamIds |
PLMO | ✅ | must convert streams query property “all” to "and: [{any…}]) with each containing expanded streamIds |
JYUR | ✅ | must convert streams query property “all” and “not” to "and: [{any…}] not:) with each containing expanded streamIds |
2W2K | ✅ | must accept two streams queries expanding them |
2EF9 | ✅ | must convert streams query {any: [“*”]} to [{any: [all accessible streams]}] |
TUZT | ✅ | must convert streams query {any: [*], not: [“A”]} to [{any: [all accessible streams], [expanded “A”]}] |
NHGF | ✅ | not accept any: "" query mixed with “all” query. like: {any: [], all: [“D”], not: [“A”]} |
U0FA | ✅ | not accept any: “*”, “B” mix. like: {any: ["*2, “D”], not: [“A”]} |
N3Q6 | ✅ | must convert {any: “*”, not: [“A”]} to [{any: [all accessible streams], not: [expanded “A”]}] |
| [EGSQ] events.get streams query Internal query helpers when transforming streams parameters with multiple stores |
U6GS | ✅ | group query streamIds per store |
I7GF | ✅ | should throw an error if two different store are mixed in a query item |
ZUTR | ❓ | should expand queries from differnt store |
| [EGSQ] events.get streams query Internal query helpers exception and errors |
IOLA | ✅ | must throw on malformed expressions |
| [EGSQ] events.get streams query Internal query helpers toMongoQuery() |
KKIH | ✅ | must convert to MongoDB including expansion |
4QMR | ✅ | must convert to MongoDB including with “ALL” |
NG7F | ✅ | must convert to MongoDB including expansion with “NOT” |
HC6X | ✅ | must convert to MongoDB including expansion with “ALL” and “NOT” |
0RNW | ✅ | must handle array of queries |
| [EGSQ] events.get streams query GET /events with streams queries |
NKH8 | ✅ | must accept a simple string |
BW6Z | ✅ | must accept array of strings |
HFA2 | ✅ | must accept * (star) with a not without including items in trashed streams |
MMB0 | ✅ | must accept * (star) with !B && !E without including items in trashed streams |
VUER | ✅ | must return events in A && E |
CBP2 | ✅ | must return events in A && !B |
I19H | ✅ | must return events in A && !D |
55HB | ✅ | must return events in A && NOT-EQUAL D |
O4DJ | ✅ | must return all events in B || (D && !E) |
UJSB | ✅ | must accept an object in a batch call (instead of a stringified one) |
ENFE | ✅ | must accept a stringified object in a batch call |
| [EGSQ] events.get streams query GET /events with streams queries edge cases |
X8B1 | ✅ | must return an error on non-existing stream |
WRVU | ✅ | must return error when there is no “any” |
30NV | ✅ | must return error when provided a boolean instead of a string |
YOJ9 | ✅ | must return error when provided a null instead of a stream query |
8NNP | ✅ | must return an error when providing a non-stringified stream query |
3X9I | ✅ | must return an empty list when provided a trashed streamId |
| Events GET / |
WC8C | ✅ | must return the last 20 non-trashed events (sorted descending) by default |
U8U9 | ✅ | must only return events for the given streams (incl. sub-streams) when set |
S0M6 | ✅ | must return an error if some of the given streams do not exist |
R667 | ✅ | must only return events with the given tag when set |
KNJY | ✅ | must only return events with any of the given tags when set |
QR4I | ✅ | must only return events of any of the given types when set |
TWP8 | ✅ | must (unofficially) support a wildcard for event types |
4TWI | ✅ | must refuse unsupported event types |
7MOU | ✅ | must only return events in the given time period sorted ascending when set |
W5IT | ✅ | must take into account fromTime and toTime even if set to 0 |
Y6SY | ✅ | must take into account modifiedSince even if set to 0 |
QNDP | ✅ | must properly exclude period events completed before the given period |
5UFW | ✅ | must return ongoing events started before the given time period |
S9J4 | ✅ | must only return events in the given paging range when set |
915E | ✅ | must return only trashed events when requested |
6H0Z | ✅ | must return all events (trashed or not) when requested |
JZYF | ✅ | must return only events modified since the given time when requested |
C3HU | ✅ | must return an error if withDeletions is given as parameter |
B766 | ✅ | must include event deletions (since that time) when requested |
V72A | ✅ | must only return running period event(s) when requested |
68IL | ✅ | must return an error if no access token is provided |
| Events GET // |
F29M | ✅ | must return the attached file with the correct headers |
PP6G | ✅ | must return readToken in attachments |
NL65 | ✅ | must accept a secure read token in the query string instead of the `“Authorization” header |
ZDY4 | ✅ | must accept special chars in Content-Disposition header |
TN27 | ✅ | must allow a filename path suffix after the file id |
LOUB | ✅ | must allow any filename (including special characters) |
9NJ0 | ✅ | must refuse an invalid file read token |
9HNM | ✅ | must refuse auth via the regular “auth” query string parameter |
MMCZ | ✅ | must return a proper error if trying to get an unknown attachment |
| Events POST / |
1GR6 | ✅ | must create an event with the sent data, returning it |
QSBV | ✅ | must set the event’s time to “now” if missing |
6BVW | ✅ | must accept explicit null for optional fields |
D2TH | ✅ | must refuse events with no stream id |
WN86 | ✅ | must return a correct error if an event with the same id already exists |
94PW | ✅ | must not allow reuse of deleted ids (unlike streams) |
DRFA | ✅ | must only allow ids that are formatted like cuids |
O7Y2 | ✅ | must reject tags that are too long |
2885 | ✅ | must fix the tags to an empty array if not set |
UL6Y | ✅ | must not stop the running period event if the stream allows overlapping |
FZ4T | ✅ | must validate the event’s content if its type is known |
EL88 | ✅ | must not fail when validating the content if passing a string instead of an object |
JUM6 | ✅ | must return an error if the sent data is badly formatted |
5NEL | ✅ | must return an error if the associated stream is unknown |
3S2T | ✅ | must allow the event’s period overlapping existing periods when the stream allows it |
Q0L6 | ✅ | must return an error if the assigned stream is trashed |
WUSC | ✅ | must not fail (500) when sending an array instead of an object |
Z87W | ✅ | must not accept an empty streamIds array |
| Events POST / (multipart content) |
4CUV | ✅ | must create a new event with the uploaded files |
HROI | ✅ | must properly handle part names containing special chars (e.g. “.”, “$”) |
0QGV | ✅ | must return an error if the non-file content part is not JSON |
R8ER | ✅ | must return an error if there is more than one non-file content part |
| Events POST / (multipart content) |
ZI01 | ✅ | must add the uploaded files to the event as attachments |
EUZM | ✅ | must add the uploaded files to the event without replacing existing attachments |
| Events GET / |
8GSS | ✅ | allows access at level=read |
IBO4 | ✅ | denies access without authorization |
| Events PUT / |
4QRU | ✅ | must modify the event with the sent data |
6B05 | ✅ | must add/update/remove the specified client data fields without touching the others |
FM3G | ✅ | must accept explicit null for optional fields |
BS75 | ✅ | must validate the event’s content if its type is known |
FU83 | ✅ | must return an error if the event does not exist |
W2QL | ✅ | must return an error if the sent data is badly formatted |
01B2 | ✅ | must return an error if the associated stream is unknown |
CUM3 | ✅ | must reject tags that are too long |
| Events PUT / forbidden updates of protected fields |
MPUA | ✅ | must prevent updating attachments |
L15U | ✅ | must prevent update of protected fields and throw a forbidden error in strict mode |
6NZ7 | ✅ | must prevent update of protected fields and log a warning in non-strict mode |
| Events PUT HF/non-HF events |
Z7R1 | ✅ | a normal event should not be updated to an hf-event |
Z7R2 | ✅ | An hf-event should not be updated to a normal event |
| Events DELETE // |
RW8M | ✅ | must delete the attachment (reference in event + file) |
ZLZN | ✅ | must return an error if not existing |
| Events DELETE / |
AT5Y | ✅ | must flag the event as trashed |
73CD | ✅ | must delete the event when already trashed including all its attachments |
| Followed slices GET / |
TNKS | ✅ | must return all followed slices (ordered by user name, then access token) |
U9M4 | ✅ | must be forbidden to non-personal accesses |
| Followed slices POST / |
HVYA | ✅ | must create a new followed slice with the sent data, returning it |
BULL | ✅ | must return a correct error if the sent data is badly formatted |
GPZK | ✅ | must return a correct error if the same followed slice (url and token) already exists |
RYNB | ✅ | must return a correct error if a followed slice with the same name already exists |
| Followed slices PUT / |
LM08 | ✅ | must modify the followed slice with the sent data |
QFGH | ✅ | must return a correct error if the followed slice does not exist |
RUQE | ✅ | must return a correct error if the sent data is badly formatted |
T256 | ✅ | must return a correct error if a followed slice with the same name already exists |
| Followed slices DELETE / |
U7LY | ✅ | must delete the followed slice |
UATV | ✅ | must return a correct error if the followed slice does not exist |
| Methods/helpers/commonFunctions.js: catchForbiddenUpdate(schema) with streams schema |
DMGV | ✅ | must throw a forbidden error if “ignoreProtectedFieldUpdates” is null |
Z51K | ✅ | must throw a forbidden error if “ignoreProtectedFieldUpdates” is false |
EUKL | ✅ | must not throw any error if “ignoreProtectedFieldUpdates” is true but print a warn log |
| Methods/helpers/commonFunctions.js: catchForbiddenUpdate(schema) with events schema |
0RQM | ✅ | must throw a forbidden error if “ignoreProtectedFieldUpdates” is null |
6TK9 | ✅ | must throw a forbidden error if “ignoreProtectedFieldUpdates” is false |
IJ4M | ✅ | must not throw any error if “ignoreProtectedFieldUpdates” is true but print a warn log |
| Methods/helpers/commonFunctions.js: catchForbiddenUpdate(schema) with accesses schema |
GP6C | ✅ | must throw a forbidden error if “ignoreProtectedFieldUpdates” is null |
MUC0 | ✅ | must throw a forbidden error if “ignoreProtectedFieldUpdates” is false |
QGDA | ✅ | must not throw any error if “ignoreProtectedFieldUpdates” is true but print a warn log |
| Auth /login |
2CV5 | ✅ | must authenticate the given credentials, open a session and return the access token |
68SH | ✅ | must return expired |
5UMP | ✅ | must reuse the current session if already open |
509A | ✅ | must accept “wildcarded” app ids and origins |
ADL4 | ✅ | must accept “no origin” (i.e. not a CORS request) if authorized |
A7JL | ✅ | must also accept “referer” in place of “origin” (e.g. some browsers do not provide “origin”) |
IKNM | ✅ | must also accept “referer” in place of “origin” (e.g. some browsers do not provide “origin”) |
1TI6 | ✅ | must not be case-sensitive for the username |
L7JQ | ✅ | must return a correct error when the local credentials are missing or invalid |
4AQR | ✅ | must return a correct error if the app id is missing or untrusted |
NDB0 | ✅ | must return a correct error if the origin is missing or does not match the app id |
FMJH | ✅ | must support concurrent login request, saving only the last token that is written in the storage |
9WHP | ✅ | must not leak _private object from Result |
| Auth /login when we log into a temporary log file |
C03J | ✅ | must replace the password in the logs by (hidden) when an error occurs |
G0YT | ✅ | must not mention the password in the logs when none is provided |
| Auth /login [WPRA] When password rules are enabled |
675V | ✅ | must succeed if the password is not yet expired, returning planned expiration time and possible change time |
D3EV | ✅ | must return an error if the password has expired, indicating the date it did so |
| Auth /logout |
6W5M | ✅ | must terminate the access session and fail to logout a second time (session already expired) |
E2MD | ✅ | (or any request) must alternatively accept the access token in the query string |
| Auth SSO support |
TIDW | ✅ | GET /who-am-i must return a 410 as it has been removed |
| Mailing helper methods |
HGVD | ✅ | should throw an error if mailing method is invalid |
OKQ2 | ✅ | should throw an error if mailing method is missing |
| Mailing helper methods using Mandrill validating request body |
GU60 | ✅ | should not be empty |
8JJU | ✅ | should contain a valid auth key |
G906 | ✅ | should contain a valid recipient |
KBE0 | ✅ | should contain a valid substitution of variables |
2ABY | ✅ | should contain valid tags |
| Mailing helper methods using Microservice validating request body |
LHCB | ✅ | should not be empty |
9UEU | ✅ | should contain a valid auth key |
1Y6K | ✅ | should contain a valid recipient |
UT8M | ✅ | should contain a valid substitution of variables |
| ArraySerializationStream testing around the array size limit |
U21Z | ✅ | must return a valid array when receiving limit-3 items |
MKNL | ✅ | must return a valid array when receiving limit-2 items |
MUPF | ✅ | must return a valid array when receiving limit-1 items |
CM4Q | ✅ | must return a valid array when receiving limit+0 items |
F8S9 | ✅ | must return a valid array when receiving limit+1 items |
6T4V | ✅ | must return a valid array when receiving limit+2 items |
QBOS | ✅ | must return a valid array when receiving limit+3 items |
| ArraySerializationStream testing with small number of items |
69F6 | ✅ | must return a valid array when receiving 0 item(s) |
BJRT | ✅ | must return a valid array when receiving 1 item(s) |
YJI0 | ✅ | must return a valid array when receiving 2 item(s) |
EKQQ | ✅ | must return a valid array when receiving 3 item(s) |
| DrainStream |
AFWR | ✅ | must be fed objects and return them in the callback |
23UQ | ✅ | must return an error when the provided limit is exceeded |
| Permissions create-only level Permissions - create-only level Accesses GET / when using an access with a "create-only" permissions |
HOTO | ✅ | should return an empty list |
| Permissions create-only level Permissions - create-only level Accesses POST / when using an access with a "create-only" permission |
X4Z1 | ✅ | a masterToken should allow to create an access with a “create-only” permissions |
ATCO | ✅ | an appToken with managed rights should allow to create an access with a “create-only” permissions |
ATCY | ✅ | an appToken with managed rights should allow to create an access with a “create-only” permissions and selfRevoke forbidden |
ATCR | ✅ | an appToken with read rights should be forbidden to create an access with a “create-only” permissions |
ATCC | ✅ | an appToken with contribute rights should be allowed to create an access with a “create-only” permissions |
FEGI | ✅ | a createOnlyToken should forbid to create an access with a “read” level permission permission |
SL4P | ✅ | should forbid to create an access with a “contribute” level permission |
ZX1M | ✅ | should forbid to create an access with a “manage” level permission |
| Permissions create-only level Permissions - create-only level Accesses PUT / |
1WXJ | ✅ | should forbid updating accesses |
| Permissions create-only level Permissions - create-only level Accesses DELETE / |
G6IP | ✅ | should forbid deleting accesses |
| Permissions create-only level Events GET / |
CKF3 | ✅ | should return an error list when fetching explicitly “create-only” streams |
V4KJ | ✅ | should not return events when fetching “create-only” streams that are children of “read” streams |
SYRW | ✅ | should not return events when fetching “create-only” streams that are children of “contribute” streams |
| Permissions create-only level Events GET /:id |
N61I | ✅ | should forbid fetching an event when using a “create-only” permission |
| Permissions create-only level Events POST / |
0G8I | ✅ | should forbid creating events for out of scope streams |
F406 | ✅ | should allow creating events for “create-only” streams |
| Permissions create-only level Events PUT / |
V0UO | ✅ | should forbid updating events for “create-only” streams |
| Permissions create-only level Events DELETE / |
5OUT | ✅ | should forbid deleting events for “create-only” streams |
| Permissions create-only level Events attachments GET /events/{id}/{fileId}[/{fileName}] |
VTU4 | ✅ | should be forbidden |
| Permissions create-only level Events attachments POST /events/{id} |
8J8O | ✅ | should be forbidden |
| Permissions create-only level Events attachments DELETE /events/{id}/{fileId} |
GY6M | ✅ | should be forbidden |
| Permissions create-only level Streams GET / |
J12F | ✅ | should only return streams for which permissions are defined |
| Permissions create-only level Streams POST / |
TFWF | ✅ | should forbid creating child streams in “create-only” streams |
| Permissions create-only level Streams PUT / |
PCO8 | ✅ | should forbid updating “create-only” streams |
| Permissions create-only level Streams DELETE / |
PCO9 | ✅ | should forbid deleting “create-only” streams |
| Permissions create-only level Webhooks CREATE / |
3AE9 | ✅ | should allow creating webhooks |
| Permissions forcedStreams GET /events with forcedStreams |
SO2E | ✅ | must not see events on “B” when querying * |
ELFF | ✅ | must refuse querying C |
| Permissions none GET /events with none permissions |
VVOA | ✅ | must not see event in “none” level stream |
| Permissions selfRevoke POST /accesses |
JYL5 | ✅ | must list accesses with forbidden selfRevoke by GET /accesses |
JYU5 | ✅ | must forbid creating accesses with selfRevoke different than forbidden |
| Permissions selfRevoke [DACC] DELETE /accesses |
AHS6 | ✅ | must allow app accesses to self revoke by default |
H6DU | ✅ | must forbid app accesses to self revoke when set |
3DR7 | ✅ | must allow shared accesses to self revoke by default |
F62D | ✅ | must forbid shared accesses to self revoke when set |
| Access permissions - Tags |
F93X | ✅ | must return a 400 error when attempting to create an access with tag-based permissions |
| [ACCP] Access permissions Events |
1AK1 | ✅ | get must only return events in accessible streams |
NKI5 | ✅ | get must return all events when permissions are defined for “all streams” (*) |
5360 | ✅ | get (or any request) must alternatively accept the access token in the query string |
KTM1 | ✅ | must forbid getting an attached file if permissions are insufficient |
2773 | ✅ | must forbid creating events for ‘read-only’ streams |
ZKZZ | ✅ | must forbid updating events for ‘read-only’ streams |
4H62 | ✅ | must forbid deleting events for ‘read-only’ streams |
Y38T | ✅ | must allow creating events for ‘contribute’ streams |
| [ACCP] Access permissions Streams |
BSFP | ✅ | get must only return streams for which permissions are defined |
R4IA | ✅ | must forbid creating child streams in ‘read-only’ streams |
KHI7 | ✅ | must forbid creating child streams in ‘contribute’ streams |
MCDP | ✅ | must forbid deleting child streams in ‘contribute’ streams |
7B6P | ✅ | must forbid updating ‘contribute’ streams |
RG5R | ✅ | must forbid deleting ‘contribute’ streams |
21AZ | ✅ | must not allow creating child streams in trashed ‘managed’ streams |
O1AZ | ✅ | must allow creating child streams in ‘managed’ streams |
5QPU | ✅ | must forbid moving streams into non-‘managed’ parent streams |
KP1Q | ✅ | must allow deleting child streams in ‘managed’ streams |
HHSS | ✅ | must recursively apply permissions to the streams’ child streams |
NJ1A | ✅ | must allow access to all streams when no specific stream permissions are defined |
| [ACCP] Access permissions Auth and change tracking |
YE49 | ✅ | must handle optional caller id in auth (in addition to token) |
| [ACCP] Access permissions Auth and change tracking custom auth step (e.g. to validate/parse caller id) |
IA9K | ✅ | must be supported and deny access when failing |
H58R | ✅ | must allow access when successful |
H58Z | ✅ | must allow access whith “callerid” headers |
ISE4 | ✅ | must fail properly (i.e. not granting access) when the custom function crashes |
P4OM | ✅ | must validate the custom function at startup time |
| Profile (app) GET /public |
FWG1 | ✅ | must return publicly shared key-value profile info |
| Profile (app) GET /app |
13DL | ✅ | must return key-value settings for the current app |
J37U | ✅ | must refuse requests with a shared access token |
GYBN | ✅ | must refuse requests with a personal access token |
| Profile (app) PUT /app |
1QFB | ✅ | must add/update/remove the specified keys without touching the others |
0H9A | ✅ | must refuse requests with a shared access token |
JC5F | ✅ | must refuse requests with a personal access token |
| Profile (personal) GET |
J61R | ✅ | /public must return publicly shared key-value profile info |
HIMS | ✅ | /private must return private key-value profile info |
36B1 | ✅ | must return an appropriate error for other paths |
FUJA | ✅ | “private” must be forbidden to non-personal accesses |
| Profile (personal) PUT |
M28R | ✅ | /public must add/update/remove the specified keys without touching the others |
WU9C | ✅ | /private must add/update/remove the specified keys without touching the others |
2AS6 | ✅ | must create the profile if not existing |
Q99E | ✅ | must return an appropriate error for other paths |
T565 | ✅ | must be forbidden to non-personal accesses |
| [REGC] registration: cluster POST /users (create user) [WAUW] when a user with the same username (not email) already exists in core but not in register |
QV8Z | ✅ | should respond with status 201 |
TCOM | ✅ | should respond with the username and apiEndpoint |
7QB6 | ✅ | should send the right data to register |
A2EM | ✅ | should replace first user events in the storage |
| [REGC] registration: cluster POST /users (create user) when a user with the same username/email already exists in core but not in register |
GRAW | ✅ | should respond with status 201 |
AY44 | ✅ | should respond with the username and apiEndpoint (TODO) |
ZHYX | ✅ | should send the right data to register |
| [REGC] registration: cluster POST /users (create user) when the username exists in register |
NUC9 | ✅ | should respond with status 409 |
X1IA | ✅ | should respond with the correct error |
JJJY | ✅ | should send the right data to register |
| [REGC] registration: cluster POST /users (create user) when the email exists in register |
SJXN | ✅ | should respond with status 409 |
U0ZN | ✅ | should respond with the correct error |
2UNK | ✅ | should send the right data to register |
| [REGC] registration: cluster POST /users (create user) when the user and email exist in register |
LUC6 | ✅ | should respond with status 409 |
XIN8 | ✅ | should respond with the correct error |
OIRY | ✅ | should send the right data to register |
| [REGC] registration: cluster POST /users (create user) when there is a simultaneous registration |
I0HG | ✅ | should respond with status 409 |
QFVZ | ✅ | should respond with the correct error |
MMG9 | ✅ | should send the right data to register |
| [REGC] registration: cluster POST /users (create user) when invitationTokens are undefined and a random string is provided as "invitationToken" |
CMOV | ✅ | should respond with status 201 |
F0MO | ✅ | should send the right data to register |
| [REGC] registration: cluster POST /users (create user) when invitationTokens are undefined and "invitationToken" is missing |
LOIB | ✅ | should respond with status 201 |
5O4Q | ✅ | should send the right data to register |
| [REGC] registration: cluster POST /users (create user) when invitationTokens are defined when a valid one is provided |
Z2ZY | ✅ | should respond with status 201 |
DIFS | ✅ | should send the right data to register |
1BF3 | ✅ | should find password in password history |
| [REGC] registration: cluster POST /users (create user) when invitationTokens are defined when an invalid one is provided |
4GON | ✅ | should respond with status 400 |
ZBYW | ✅ | should send the right data to register |
| [REGC] registration: cluster POST /users (create user) when invitationTokens are set to [] (forbidden creation) when any string is provided |
CX9N | ✅ | should respond with status 400 |
IH6K | ✅ | should send the right data to register |
| [REGC] registration: cluster POST /users (create user) when custom account streams validation exists when email is set as required and it is not set in the request |
UMWB | ✅ | should respond with status 400 |
8RDA | ✅ | should respond with the correct error |
| [REGC] registration: cluster POST /users (create user) when custom account streams validation exists when field does not match custom validation settings |
8W22 | ✅ | should respond with status 400 |
GBKD | ✅ | should respond with the correct error |
| [REGC] registration: cluster POST /users (create user) [RCPW] When password rules are enabled |
0OBL | ✅ | must fail if the new password does not comply (smoke test; see “/change-password” in account tests) |
5BQL | ✅ | must succeed if the new password complies (smoke test; see “/change-password” in account tests) |
| [BMM2] registration: DNS-less POST /users when given valid input |
KB3T | ✅ | should respond with status 201 |
VDA8 | ✅ | should respond with a username and apiEndpoint in the request body |
LPLP | ✅ | Valid access token exists in the response |
M5XB | ✅ | should store all the fields |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid username parameter that is too short |
3Q1H | ✅ | should respond with status 400 |
M6CD | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid username parameter that is too long |
WG46 | ✅ | should respond with status 400 |
MST7 | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid username parameter that has invalid characters |
TL2W | ✅ | should respond with status 400 |
TSC6 | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid username parameter that has an invalid type |
XTD0 | ✅ | should respond with status 400 |
EIKE | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid username parameter that is null |
JQ7V | ✅ | should respond with status 400 |
G81N | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid password parameter that is too short |
FSE9 | ✅ | should respond with status 400 |
OYZM | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid password parameter that is too long |
KJGF | ✅ | should respond with status 400 |
LQWX | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid password parameter that has an invalid type |
SBCX | ✅ | should respond with status 400 |
XFG4 | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid password parameter that is null |
T56V | ✅ | should respond with status 400 |
MP5F | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid email parameter that is too long |
S8U8 | ✅ | should respond with status 400 |
1JN8 | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid email parameter that has an invalid type |
GV6I | ✅ | should respond with status 400 |
6OX5 | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid email parameter that is null |
6SID | ✅ | should respond with status 400 |
PJY5 | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid appId parameter that is too short |
5P2E | ✅ | should respond with status 400 |
I9QE | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid appId parameter that is too long |
AQFL | ✅ | should respond with status 400 |
HI9V | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid appId parameter that has an invalid type |
4XCV | ✅ | should respond with status 400 |
8G9V | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid appId parameter that is null |
K4LE | ✅ | should respond with status 400 |
NZ4J | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid invitationToken parameter that has an invalid type |
CYW6 | ✅ | should respond with status 400 |
79A5 | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid invitationToken parameter that is null |
UEKC | ✅ | should respond with status 400 |
FJ51 | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid referer parameter that is too long |
5BNJ | ✅ | should respond with status 400 |
V51E | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid referer parameter that has an invalid type |
J1DW | ✅ | should respond with status 400 |
AFUH | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid language parameter that is too short |
UPWY | ✅ | should respond with status 400 |
QYT8 | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid language parameter that is too long |
GDMW | ✅ | should respond with status 400 |
LP4S | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid language parameter that has an invalid type |
R1LT | ✅ | should respond with status 400 |
E95A | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Schema validation when given an invalid language parameter that is null |
RHT6 | ✅ | should respond with status 400 |
0QGW | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users Property values uniqueness username property |
LZ1K | ✅ | should respond with status 409 |
M2HD | ✅ | should respond with the correct error message |
| [BMM2] registration: DNS-less POST /users When providing an indexed value that is neither a number nor a string by providing an object |
S6PS | ✅ | must return an error |
| [BMM2] registration: DNS-less GET /reg/:username/check |
7T9L | ✅ | when checking a valid available username, it should respond with status 200 and {reserved:false} |
153Q | ✅ | when checking a valid taken username, it should respond with status 409 and the correct error |
H09H | ✅ | when checking a too short username, it should respond with status 400 and the correct error |
VFE1 | ✅ | when checking a too long username, it should respond with status 400 and the correct error |
FDTC | ✅ | when checking a username with invalid characters, it should respond with status 400 and the correct error |
| Events streaming with 2000 entries |
SE1K | ✅ | Streams events |
XZGB | ✅ | Streams deleted in sent as chunked |
| Result concatStream |
36RQ | ✅ | must concatenate multiple streams in a single Array |
| Result toObject() |
NKHF | ✅ | must return the result’s content when not storing streams |
MHAS | ✅ | must return the result content when storing streams |
6P4Z | ✅ | must return an error object when attempting to serialize streams containing an amountof objects exceeding the limit |
TTEL | ✅ | must return an error when storing piped streams |
H2GC | ❓ | must return an error when the core pipeline crashes because of size |
| [ROOT] root GET / |
UA7B | ✅ | should return basic server meta information as JSON when requested |
TO50 | ✅ | should return basic server meta information as text otherwise |
TS3D | ✅ | should return an error if trying to access an unknown user account |
| [ROOT] root All requests: |
TJHO | ✅ | should return correct common HTTP headers + meta data in response body |
OQ3G | ✅ | should return meta data in response body for errors as well |
P06Y | ✅ | should properly translate the Host header’s username (i.e. subdomain) |
R3H5 | ✅ | should translate the username in subdomain also when it only contains numbers |
5IQK | ✅ | should support POSTing “urlencoded” content with _json and _auth fields |
2YEI | ✅ | should support POSTing “urlencoded” content with _json, _method (PUT) and _auth fields |
VJTP | ✅ | should support POSTing “urlencoded” content with _json, _method (DELETE) and _auth fields |
6D5O | ✅ | should properly handle JSON errors when POSTing “urlencoded” content with _json field |
J2WP | ✅ | trackingFunctions should update the access’s “last used” time and internal request counters |
| [ROOT] root OPTIONS / |
PDMA | ✅ | should return OK |
| [ROOT] root GET /access-info |
0MI8 | ✅ | must return current access information |
| [ROOT] root Accept Basic Auth request |
0MI9 | ✅ | must accept the https://token@user.domain/ AUTH schema |
0MI0 | ✅ | must accept the https://token:anystring@user.domain/ AUTH schema |
3W3Y | ✅ | must accept the https://token:@user.domain/ AUTH schema |
M54U | ✅ | must return a 401 error when basic auth is missing using https://@user.domain/ |
TPH4 | ✅ | must return a 403 error when using https://:token@user.domain/ |
| [ROOT] root POST / (i.e. batch call) |
2IV3 | ✅ | must be able to create streams with non-star permissions access |
ORT3 | ✅ | must execute the given method calls and return the results |
TVPI | ✅ | must execute the method calls containing events.get and return the results |
U4RB | ✅ | should not add a null meta field in the response |
WGVY | ✅ | must return an error if the sent data is badly formatted |
TV17 | ✅ | streamed results such as stream.delete should be serialiazed |
| Service GET /service/info |
FR4K | ✅ | must return all service info |
| Service-reporting POST report on service-reporting (started) |
G1UG | ✅ | must start and successfully send a report when service-reporting is listening |
| Socket.IO |
25M0 | ✅ | must dynamically create a namespace for the user |
9ZH8 | ✅ | must send correct CORS headers |
VGKX | ✅ | must connect with twice user name in the path (DnsLess) |
VGKH | ✅ | must connect to a user with a dash in the username |
OSOT | ✅ | must refuse connection if no valid access token is provided |
| Socket.IO calling API methods |
FI6F | ✅ | must properly route method call messages for events and return the results, including meta |
O3SW | ✅ | must properly route method call messages for streams and return the results |
TO6Z | ✅ | must accept streamQuery as Javascript Object |
NGUZ | ✅ | must not crash when callers omit the callback |
ACA3 | ✅ | must fail if the called target does not exist |
L8WJ | ✅ | must fail if the called method does not exist |
SNCW | ✅ | must return API errors properly, including meta |
744Z | ✅ | must notify other sockets for the same user about events changes |
GJLT | ✅ | must notify other sockets for the same user (only) about streams changes |
JC99 | ✅ | must notify on each change |
| Socket.IO when using an access with a "create-only" permission |
K2OO | ✅ | must allow a connection |
| Socket.IO when spawning 2 api-server processes, A and B |
JJRA | ❓ | changes made in A notify clients of B |
| [STRE] streams GET / |
TG78 | ✅ | must return non-trashed streams (as a tree) by default |
DPWG | ✅ | must return all streams (trashed or not) when requested |
RDD5 | ✅ | must include stream deletions (since the given time) when requested |
T8AM | ✅ | must include stream deletions even when the given time is 0 |
1M8A | ❓ | must not keep stream deletions past a certain time (cannot test because cannot force-run Mongo’s TTL cleanup task) |
W9VC | ✅ | must return a correct 401 error if no access token is provided |
UVWK | ✅ | must return child streams when providing a parent stream id |
AJZL | ✅ | must return a correct error if the parent stream is unknown |
G5F2 | ✅ | must return a correct error if the stream is unknown |
| [STRE] streams POST / |
ENVV | ✅ | must create a new “root” stream with the sent data, returning it |
A2HP | ✅ | must return a correct error if the sent data is badly formatted |
GGS3 | ✅ | must return a correct error if a stream with the same id already exists |
UHKI | ✅ | must allow reuse of deleted ids |
8WGG | ✅ | must accept explicit null for optional fields |
NR4D | ✅ | must fail if a sibling stream with the same name already exists |
JINC | ✅ | must return a correct error if the sent data is not valid JSON |
CHDM | ✅ | must create a new child stream (with predefined id) when providing a parent stream id |
88VQ | ✅ | must return an error if the new stream’s parentId is the empty string |
84RK | ✅ | must slugify the new stream’s predefined id |
2B3H | ✅ | must return a correct error if the parent stream is unknown |
8JB5 | ✅ | must return a correct error if the given predefined stream’s id is “null” |
6TPQ | ✅ | must return a correct error if the given predefined stream’s id is “*” |
Z3RC | ✅ | must accept streamId “size” |
| [STRE] streams PUT / |
SO48 | ✅ | must modify the stream with the sent data |
5KNJ | ✅ | must accept explicit null for optional fields |
0ANV | ✅ | must add/update/remove the specified client data fields without touching the others |
PL2G | ✅ | must return a correct error if the stream does not exist |
JWT4 | ✅ | must return a correct error if the sent data is badly formatted |
344I | ✅ | must fail if a sibling stream with the same name already exists |
JT6G | ✅ | must modify the stream with the sent data event if name and parentId sent are the same |
PT1E | ✅ | must move the stream under the given parent when specified |
HJBH | ✅ | must return a correct error if the new parent stream is unknown |
29S6 | ✅ | must return an error if the “parentId” is the same as the “id” |
| [STRE] streams PUT / forbidden updates of protected fields |
PN1H | ✅ | must fail and throw a forbidden error in strict mode |
A3WC | ✅ | must succeed by ignoring protected fields and log a warning in non-strict mode |
| [STRE] streams [STRD] DELETE / |
205A | ✅ | must flag the specified stream as trashed |
TEFF | ✅ | must delete the stream when already trashed with its descendants if there are no linked events |
LVTR | ✅ | must return a correct error if there are linked events and the related parameter is missing |
RKEU | ✅ | must reject the deletion of a root stream with mergeEventsWithParent=true |
26V0 | ✅ | must reassign the linked events to the deleted stream’s parent when specified |
KLD8 | ✅ | must delete the linked events when mergeEventsWithParent is false |
1U1M | ✅ | must return a correct error if the item is unknown |
| [SYRO] system route |
JT1A | ✅ | should parse correctly usernames starting with “system” |
CHEK | ✅ | System check Platform integrity |
| [SYRO] system route DELETE /mfa |
1V4D | ✅ | should return 204 |
3HE9 | ✅ | should delete the user’s “mfa” profile property |
I2PU | ✅ | should not delete anything else in the profile |
| [SYER] system (ex-register) POST /create-user (DEPRECATED) |
0G7C | ✅ | must not send a welcome email if mailing is deactivated |
TWBF | ✅ | must not send a welcome email if welcome mail is deactivated |
| [SYER] system (ex-register) POST /create-user (DEPRECATED) when email sending really works |
FUTR | ✅ | must create a new user with the sent data, sending a welcome email |
| [SYER] system (ex-register) POST /create-user (DEPRECATED) when it just replies OK |
9K71 | ✅ | must run the process but not save anything for test username “recla” |
ZG1L | ✅ | must support the old “/register” path for backwards-compatibility |
VGF5 | ✅ | must return a correct 400 error if the sent data is badly formatted |
ABI5 | ✅ | must return a correct 400 error if the language property is above 5 characters |
OVI4 | ✅ | must return a correct 400 error if the language property is the empty string |
RD10 | ✅ | must return a correct 400 error if a user with the same user name already exists |
NPJE | ✅ | must return a correct 400 error if a user with the same email address already exists |
Y5JB | ✅ | must return a correct 404 error when authentication is invalid |
GF3L | ✅ | must return a correct error if the content type is wrong |
| [SYER] system (ex-register) POST /create-user (DEPRECATED) when we log into a temporary log file |
Y69B | ✅ | must replace the passwordHash in the logs by (hidden) when the authentication is invalid |
MEJ9 | ✅ | must replace the passwordHash in the logs by (hidden) when the payload is invalid (here parameters) |
CO6H | ✅ | must not mention the passwordHash in the logs when none is provided |
| [SYER] system (ex-register) GET /user-info/{username} |
9C1A | ✅ | trackingFunctions must return user information (including time of last account use) |
FNJ5 | ✅ | must return a correct 404 error when authentication is invalid |
| [SSDC] SystemStreams config when valid custom systemStreams are provided |
GB8G | ✅ | must set default values and other fields |
KMT3 | ✅ | must prefix default streams with the Pryv prefix |
PVDC | ✅ | must prefix custom streams with the customer prefix |
| [SSDC] SystemStreams config When retro-compatibility is activated and a streamId unicity conflict exists between a custom system streamId and a default one |
3Z9N | ✅ | must throw a config error |
| [SSDC] SystemStreams config When custom system streams contain duplicate streamIds |
CHEF | ✅ | must throw a config error |
| [SSDC] SystemStreams config When providing a custom system stream that is unique but not indexed |
42A1 | ✅ | must throw a config error |
| [SSDC] SystemStreams config When providing a custom system stream that has an invalid type |
LU0A | ❓ | must throw a config error |
| [SSDC] SystemStreams config When providing an "other" custom stream that is unique |
GZEK | ✅ | must throw a config error |
| [SSDC] SystemStreams config When providing an "other" custom stream that is indexed |
2IBL | ✅ | must throw a config error |
| [SSDC] SystemStreams config When providing an "other" custom stream that is non editable |
655X | ✅ | must throw a config error |
| [SSDC] SystemStreams config When providing an "other" custom stream that is required at registration |
OJJ0 | ✅ | must throw a config error |
| Config: serviceInfo when dnsLess is disabled when "serviceInfoUrl" points to a file |
D2P7 | ✅ | should load serviceInfo |
| Uploads middleware hasFileUpload |
GY5H | ✅ | should parse file uploads |
| Notifications #serverReady |
B76G | ✅ | notifies internal listeners |
SRAU | ✅ | notifies axon listeners |
| Notifications #accountChanged |
P6ZD | ✅ | notifies internal listeners |
Q96S | ✅ | notifies axon listeners |
| Notifications #accessesChanged |
P5CG | ✅ | notifies internal listeners |
VSN6 | ✅ | notifies axon listeners |
| Notifications #followedSlicesChanged |
VU4A | ✅ | notifies internal listeners |
UD2B | ✅ | notifies axon listeners |
| Notifications #streamsChanged |
LDUQ | ✅ | notifies internal listeners |
BUR1 | ✅ | notifies axon listeners |
| Notifications #eventsChanged |
N8RI | ✅ | notifies internal listeners |
TRMW | ✅ | notifies axon listeners |
| Service Register Errors |
LPD4 | ✅ | Should remove not matching params from duplicate Error |
| Authentication hasProperties |
IKAI | ✅ | returns true if all properties exist |
K2PZ | ✅ | returns false if not all properties exist |
U2NA | ✅ | returns false if null is given |
WJ7J | ✅ | returns false if a string is given |
| TryCoerceStringValues |
DTZ1 | ✅ | should behave as documented in the method |
X26S | ✅ | doesn’t create keys in object |
4MHH | ✅ | should convert to array |
X8PY | ✅ | number conversion works |
| Versioning Events |
RWIA | ✅ | must not return history when calling events.get |
| Versioning Events deletionMode |
FLLW | ✅ | must delete the event’s history when deleting it with deletionMode=keep-nothing |
6W0B | ✅ | must minimize the event’s history when deleting it with deletionMode=keep-authors |
1DBC | ✅ | must not modify the event’s history when deleting it with deletionMode=keep-everything |
| Versioning Events events.getOne |
YRI7 | ✅ | must not return an event’s history when calling getOne with includeHistory flag off |
KPQZ | ✅ | must return an event’s history when calling getOne with includeHistory flag on |
| Versioning Events forceKeepHistory is OFF |
PKA9 | ✅ | must not generate history when updating an event |
| Versioning Events forceKeepHistory is ON |
0P6S | ✅ | must generate history when updating an event |
NZQB | ✅ | must generate history when trashing an event |
| Versioning Streams |
H1PK | ✅ | must generate events’ history when their stream is deleted with mergeEventsWithParents=true since their streamId is modified |
95TJ | ✅ | must delete the events’ history when their stream is deleted with mergeEventsWithParents=false and deletionMode=‘keep-nothing’ |
4U91 | ✅ | must keep the events’ minimal history when their stream is deleted with mergeEventsWithParents=false and deletionMode=‘keep-authors’ |
D4CY | ✅ | must not delete the events’ history when their stream is deleted with mergeEventsWithParents=false and deletionMode=‘keep-everything’ |
| Versioning Users |
4ETL | ✅ | must allow reusing unique values after they are in history |
| Webhooks GET / when using an app token |
R5KD | ✅ | should return a status 200 with a webhooks object which is an array |
67CX | ✅ | should fetch all webhooks reachable by an app token |
WSJG | ✅ | should not fetch any Webhook outside its scope |
| Webhooks GET / when using a personal token |
6MNC | ✅ | should return a status 200 with a webhooks object which is an array |
4YFQ | ✅ | should fetch all webhooks for the user |
| Webhooks GET / when using a shared token |
RIZV | ✅ | should return a status 200 with a webhooks object which is an array |
| Webhooks GET /:webhookId when using an app token when fetching an existing webhook inside its scope |
XMB7 | ✅ | should return a status 200 with a webhook object |
| Webhooks GET /:webhookId when using an app token when fetching an existing webhook outside of its scope |
BDC2 | ✅ | should return a status 403 with a forbidden error |
| Webhooks GET /:webhookId when using an app token when fetching an unexistant webhook |
O6MM | ✅ | should return a status 404 with a unknown resource error |
| Webhooks GET /:webhookId when using a personal token |
D8YQ | ✅ | should return a status 200 with a webhook object |
| Webhooks GET /:webhookId when using a shared token |
604H | ✅ | should return a status 200 with a webhook object |
| Webhooks POST / when using an app token when providing a valid webhook |
Z1XD | ✅ | should return a status 201 with the created webhook |
XKLU | ✅ | should save it to the storage |
| Webhooks POST / when using an app token when providing an existing url |
60OQ | ✅ | should return a status 409 with a collision error error |
| Webhooks POST / when using an app token when providing invalid parameters when url is not a string |
3VIU | ✅ | should return a status 400 with a invalid parameters error |
| Webhooks POST / when using a shared token when providing a valid webhook |
YTLW | ✅ | should return a status 201 with the created webhook |
UC6J | ✅ | should save it to the storage |
| Webhooks POST / when using a personal token when providing a valid webhook |
3AZO | ✅ | should return a status 403 with a forbidden error |
| Webhooks PUT /:webhookId when using an app token when updating an existing webhook when changing a valid parameter |
C9FU | ✅ | should return a status 200 with the updated webhook |
JSOH | ✅ | should apply the changes to the storage |
| Webhooks PUT /:webhookId when using an app token when updating an existing webhook when changing a readonly parameter |
PW4I | ✅ | should return a status 403 with an invalid parameter error |
| Webhooks PUT /:webhookId when using an app token when updating a webhook outside its scope |
8T2G | ✅ | should return a status 403 with a forbidden error |
| Webhooks PUT /:webhookId when using an app token when updating an unexistant webhook |
AR5R | ✅ | should return a status 404 with an unknown resource error |
| Webhooks PUT /:webhookId when using a personal token when providing valid parameters |
LCKN | ✅ | should return a status 200 with the updated webhook |
| Webhooks PUT /:webhookId when using a shared token when providing valid parameters |
TMIZ | ✅ | should return a status 200 with the updated webhook |
| Webhooks DELETE /:webhookId when using an app token when deleting an existing webhook |
A0CG | ✅ | should return a status 200 with the webhook deletion |
KA98 | ✅ | should delete it in the storage |
| Webhooks DELETE /:webhookId when using an app token when deleting an unexistant webhook |
ZPRT | ✅ | should return a status 404 with an unknown resource error |
| Webhooks DELETE /:webhookId when using an app token when deleting an already deleted webhook |
5UX7 | ✅ | should return a status 404 with an unknown resource error |
| Webhooks DELETE /:webhookId when using an app token when deleting a webhook outside of its scope |
7O0F | ✅ | should return a status 403 with a forbidden error |
| Webhooks DELETE /:webhookId when using a personal token when deleting an existing webhook |
P6X4 | ✅ | should return a status 200 with the webhook deletion |
| Webhooks DELETE /:webhookId when using a shared token when deleting an existing webhook |
OZZB | ✅ | should return a status 200 with the webhook deletion |
| Webhooks POST /:webhookId/test when using an app token when the webhook exists when the URL is valid |
ZM2B | ✅ | should return a status 200 with a webhook object |
Q7KL | ✅ | should send a POST request to the URL |
| Webhooks POST /:webhookId/test when using an app token when the webhook exists when the URL is invalid |
KLRO | ✅ | should return a status 400 with an error object |
| Webhooks POST /:webhookId/test when using an app token when the webhook does not exist |
KXA8 | ✅ | should return a status 404 with a unknown resource error |
| Webhooks POST /:webhookId/test when using an app token when the webhook is outside of its scope |
KZJD | ✅ | should return a status 403 with a forbidden error |
| Webhooks POST /:webhookId/test when using a personal token when the webhook exists |
HYZZ | ✅ | should return a status 200 with a webhook object |
SBI7 | ✅ | should send a POST request to the URL |
| Webhooks POST /:webhookId/test when using a shared token when the webhook exists |
O8PB | ✅ | should return a status 200 with a webhook object |
C62I | ✅ | should send a POST request to the URL |