alchemistkay/guestguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3f8bc58ca9ea3d1d25b4b6d6e23fce39e4b3fb21
guestguard/test/integration/e2e_test.go
T
Kwaku Danso 3f8bc58ca9 feat: build core API, fraud engine, notifier, and frontend 
Phase 1 — Core API (Go):
- Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5
- HMAC-signed per-guest tokens with format validation
- Health endpoint with DB ping, slog JSON logging, graceful shutdown

Phase 2 — NATS + Fraud Engine:
- NATS JetStream pub/sub with explicit-ack consumers
- Python/FastAPI fraud engine with heuristic risk scoring
  (fingerprint mismatch, IP change, missing signals, repeated access)
- gRPC sync scoring with 250ms fail-open timeout
- Per-guest baseline tracking; risk bands low/medium/high/block

Phase 3 — Notifications + Frontend:
- Notification worker scaffolding (Twilio/SES stubs, retry/backoff)
- Nuxt 3 frontend with Tailwind dark theme + brand green
- Live monitor via WebSocket with auto-reconnect
- Activity history endpoint backfills monitor with RSVPs +
  scored access checks (including blocked attempts)

UX polish:
- Marketing-friendly landing page (hero mockup, how-it-works,
  features, use cases, testimonials, FAQ, final CTA)
- Animated layered card mockups on landing + new-event page
- Plus-ones stepper, RSVP status badges, filter buttons
- Friendly access-check labels (Verified/Review/Suspicious/Blocked)
- Dashboard hydration fix via ClientOnly wrapper

Infrastructure:
- docker-compose for full local dev (postgres, nats, api,
  fraud-engine, notifier, frontend)
- Multi-stage Dockerfiles, non-root UID 1000
- Integration tests with testcontainers-go

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 21:08:56 +01:00

488 lines
14 KiB
Go
Raw Blame History

//go:build integration
package integration_test
import (
"bytes"
"context"
"encoding/json"
"fmt"
"io"
"log/slog"
"net"
"net/http"
"net/http/httptest"
"sync/atomic"
"testing"
"time"
"github.com/google/uuid"
"github.com/jackc/pgx/v5/pgxpool"
"github.com/nats-io/nats.go/jetstream"
"github.com/testcontainers/testcontainers-go"
tcpostgres "github.com/testcontainers/testcontainers-go/modules/postgres"
"github.com/testcontainers/testcontainers-go/wait"
"google.golang.org/grpc"
"github.com/alchemistkay/guestguard/internal/api"
"github.com/alchemistkay/guestguard/internal/fraud"
pb "github.com/alchemistkay/guestguard/internal/fraudpb"
"github.com/alchemistkay/guestguard/internal/natspub"
"github.com/alchemistkay/guestguard/internal/storage"
)
// TestE2EHappyPath spins up real Postgres + NATS containers and an in-process
// stub fraud gRPC server, then walks both the async (access → fraud.scored
// → access_logs.flagged) and sync (RSVP submit) flows we manually verified
// with `docker compose up`. This is the regression net for that walkthrough.
func TestE2EHappyPath(t *testing.T) {
if testing.Short() {
t.Skip("skipping integration test in -short mode")
}
ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
t.Cleanup(cancel)
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
dsn := startPostgres(t, ctx)
natsURL := startNATS(t, ctx)
db, err := storage.NewDB(ctx, dsn)
must(t, err, "connect db")
t.Cleanup(db.Close)
must(t, db.Migrate(ctx), "migrate")
natsClient, err := natspub.Connect(ctx, natsURL, logger)
must(t, err, "connect nats")
t.Cleanup(natsClient.Close)
stub := startStubFraudGRPC(t)
fraudClient, err := fraud.Dial(ctx, stub.Addr, 2*time.Second, logger)
must(t, err, "dial fraud")
t.Cleanup(func() { _ = fraudClient.Close() })
accessLogs := storage.NewAccessLogRepo(db)
sub, err := natspub.NewFraudScoredSubscriber(ctx, natsClient, "test-fraud-scored",
func(ctx context.Context, evt natspub.FraudScored) error {
return accessLogs.ApplyScore(ctx, storage.ApplyScoreParams{
AccessLogID: evt.AccessLogID,
Score: evt.Score,
Reasons: evt.Reasons,
Flagged: evt.Score >= 60,
})
}, logger)
must(t, err, "create fraud subscriber")
consumeCtx, err := sub.Start(ctx)
must(t, err, "start fraud subscriber")
t.Cleanup(consumeCtx.Stop)
rsvpCounter := subscribeRSVPConfirmed(t, ctx, natsClient)
srv := httptest.NewServer(api.NewServer(api.ServerDeps{
Logger: logger,
DB: db,
AccessPublisher: natsClient,
RSVPPublisher: natsClient,
FraudScorer: fraudClient,
TokenTTL: 24 * time.Hour,
}).Handler())
t.Cleanup(srv.Close)
hostID := insertHost(t, ctx, db.Pool)
t.Run("async access flow flags access_logs", func(t *testing.T) {
eventID := createEvent(t, srv.URL, hostID, "Async Test", "async-test")
guestID := createGuest(t, srv.URL, eventID, "Async Guest")
token := issueToken(t, srv.URL, eventID, guestID)
accessResp := getAccess(t, srv.URL, token)
stub.SetNext(72, "high", []string{"fingerprint differs from baseline"})
// Simulate the fraud-engine side of the pipeline: the engine consumes
// access.attempted from NATS and publishes fraud.scored back. We do
// the same publish directly so we don't need the Python service in the
// test.
mustPublishFraudScored(t, ctx, natsClient, natspub.FraudScored{
EventID: eventID,
GuestID: guestID,
TokenID: accessResp.Token.ID,
AccessLogID: accessResp.AccessLog,
Score: 72,
Risk: "high",
Reasons: []string{"fingerprint differs from baseline"},
ScoredAt: time.Now().UTC(),
})
waitForFlagged(t, ctx, db.Pool, accessResp.AccessLog, 72, true)
})
t.Run("sync rsvp flow records rsvp and marks token used", func(t *testing.T) {
eventID := createEvent(t, srv.URL, hostID, "Sync Test", "sync-test")
guestID := createGuest(t, srv.URL, eventID, "Sync Guest")
token := issueToken(t, srv.URL, eventID, guestID)
stub.SetNext(15, "low", nil)
rsvpResp := submitRSVP(t, srv.URL, token, map[string]any{
"response": "attending",
"plus_ones": 0,
})
if rsvpResp.Blocked {
t.Fatalf("expected blocked=false, got %+v", rsvpResp)
}
if rsvpResp.Decision.Score != 15 || rsvpResp.Decision.Risk != "low" || !rsvpResp.Decision.Used {
t.Fatalf("unexpected decision: %+v", rsvpResp.Decision)
}
if rsvpResp.RSVP == nil || rsvpResp.RSVP.RiskScore == nil || *rsvpResp.RSVP.RiskScore != 15 {
t.Fatalf("rsvp missing risk_score=15: %+v", rsvpResp.RSVP)
}
assertTokenUsed(t, ctx, db.Pool, guestID)
waitForRSVPConfirmed(t, rsvpCounter, 1)
})
t.Run("sync rsvp flow blocks when fraud score is BLOCK", func(t *testing.T) {
eventID := createEvent(t, srv.URL, hostID, "Block Test", "block-test")
guestID := createGuest(t, srv.URL, eventID, "Block Guest")
token := issueToken(t, srv.URL, eventID, guestID)
stub.SetNext(95, "block", []string{"fingerprint differs from baseline", "ip address changed"})
req, _ := http.NewRequestWithContext(ctx, http.MethodPost,
srv.URL+"/rsvp/"+token,
bytes.NewReader([]byte(`{"response":"attending","plus_ones":0}`)))
req.Header.Set("Content-Type", "application/json")
resp, err := http.DefaultClient.Do(req)
must(t, err, "POST /rsvp")
defer resp.Body.Close()
if resp.StatusCode != http.StatusForbidden {
body, _ := io.ReadAll(resp.Body)
t.Fatalf("expected 403 for BLOCK, got %d: %s", resp.StatusCode, body)
}
assertNoRSVP(t, ctx, db.Pool, guestID)
assertTokenStatus(t, ctx, db.Pool, guestID, "active")
})
}
// --- container helpers ---
func startPostgres(t *testing.T, ctx context.Context) string {
t.Helper()
c, err := tcpostgres.Run(ctx,
"postgres:16-alpine",
tcpostgres.WithDatabase("guestguard"),
tcpostgres.WithUsername("guestguard"),
tcpostgres.WithPassword("guestguard"),
testcontainers.WithWaitStrategy(
wait.ForLog("database system is ready to accept connections").
WithOccurrence(2).
WithStartupTimeout(60*time.Second),
),
)
must(t, err, "start postgres container")
t.Cleanup(func() { _ = c.Terminate(context.Background()) })
dsn, err := c.ConnectionString(ctx, "sslmode=disable")
must(t, err, "postgres connection string")
return dsn
}
func startNATS(t *testing.T, ctx context.Context) string {
t.Helper()
req := testcontainers.ContainerRequest{
Image: "nats:2.10-alpine",
ExposedPorts: []string{"4222/tcp"},
Cmd: []string{"-js"},
WaitingFor: wait.ForLog("Server is ready").WithStartupTimeout(60 * time.Second),
}
c, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
ContainerRequest: req,
Started: true,
})
must(t, err, "start nats container")
t.Cleanup(func() { _ = c.Terminate(context.Background()) })
host, err := c.Host(ctx)
must(t, err, "nats host")
port, err := c.MappedPort(ctx, "4222/tcp")
must(t, err, "nats port")
return fmt.Sprintf("nats://%s:%s", host, port.Port())
}
// --- stub fraud gRPC server ---
type stubFraud struct {
pb.UnimplementedFraudServiceServer
Addr string
server *grpc.Server
score atomic.Int32
risk atomic.Value // string
reasons atomic.Value // []string
}
func (s *stubFraud) Score(ctx context.Context, req *pb.ScoreRequest) (*pb.ScoreResponse, error) {
risk := pb.Risk_RISK_LOW
switch s.risk.Load().(string) {
case "low":
risk = pb.Risk_RISK_LOW
case "medium":
risk = pb.Risk_RISK_MEDIUM
case "high":
risk = pb.Risk_RISK_HIGH
case "block":
risk = pb.Risk_RISK_BLOCK
}
var reasons []string
if r, _ := s.reasons.Load().([]string); r != nil {
reasons = r
}
return &pb.ScoreResponse{
Score: s.score.Load(),
Risk: risk,
Reasons: reasons,
}, nil
}
func (s *stubFraud) SetNext(score int, risk string, reasons []string) {
s.score.Store(int32(score))
s.risk.Store(risk)
s.reasons.Store(reasons)
}
func startStubFraudGRPC(t *testing.T) *stubFraud {
t.Helper()
lis, err := net.Listen("tcp", "127.0.0.1:0")
must(t, err, "listen for stub fraud")
s := &stubFraud{Addr: lis.Addr().String()}
s.risk.Store("low")
s.reasons.Store([]string(nil))
s.server = grpc.NewServer()
pb.RegisterFraudServiceServer(s.server, s)
go func() { _ = s.server.Serve(lis) }()
t.Cleanup(s.server.Stop)
return s
}
// --- HTTP helpers ---
func createEvent(t *testing.T, base string, hostID uuid.UUID, name, slug string) uuid.UUID {
t.Helper()
body := map[string]any{
"host_id": hostID.String(),
"name": name,
"slug": slug,
"event_date": time.Now().Add(30 * 24 * time.Hour).UTC().Format(time.RFC3339),
"venue": "Integration Hall",
}
var out struct{ ID uuid.UUID `json:"id"` }
postJSON(t, base+"/events", body, http.StatusCreated, &out)
return out.ID
}
func createGuest(t *testing.T, base string, eventID uuid.UUID, name string) uuid.UUID {
t.Helper()
var out struct{ ID uuid.UUID `json:"id"` }
postJSON(t, fmt.Sprintf("%s/events/%s/guests", base, eventID),
map[string]any{"name": name}, http.StatusCreated, &out)
return out.ID
}
func issueToken(t *testing.T, base string, eventID, guestID uuid.UUID) string {
t.Helper()
var out struct{ Token string `json:"token"` }
postJSON(t, fmt.Sprintf("%s/events/%s/guests/%s/tokens", base, eventID, guestID),
nil, http.StatusCreated, &out)
return out.Token
}
type accessResponse struct {
Token *struct{ ID uuid.UUID `json:"id"` } `json:"token"`
AccessLog uuid.UUID `json:"access_log_id"`
}
func getAccess(t *testing.T, base, token string) accessResponse {
t.Helper()
resp, err := http.Get(base + "/access/" + token)
must(t, err, "GET /access")
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
body, _ := io.ReadAll(resp.Body)
t.Fatalf("GET /access status=%d body=%s", resp.StatusCode, body)
}
var out accessResponse
must(t, json.NewDecoder(resp.Body).Decode(&out), "decode access")
return out
}
type submitRSVPResponse struct {
RSVP *struct {
ID uuid.UUID `json:"id"`
RiskScore *int `json:"risk_score"`
} `json:"rsvp"`
Decision fraud.Decision `json:"fraud"`
Blocked bool `json:"blocked"`
}
func submitRSVP(t *testing.T, base, token string, body map[string]any) submitRSVPResponse {
t.Helper()
var out submitRSVPResponse
postJSON(t, base+"/rsvp/"+token, body, http.StatusCreated, &out)
return out
}
func postJSON(t *testing.T, url string, body any, wantStatus int, out any) {
t.Helper()
var rdr io.Reader
if body != nil {
b, _ := json.Marshal(body)
rdr = bytes.NewReader(b)
}
req, err := http.NewRequest(http.MethodPost, url, rdr)
must(t, err, "build request "+url)
if rdr != nil {
req.Header.Set("Content-Type", "application/json")
}
resp, err := http.DefaultClient.Do(req)
must(t, err, "do request "+url)
defer resp.Body.Close()
if resp.StatusCode != wantStatus {
body, _ := io.ReadAll(resp.Body)
t.Fatalf("%s status=%d want=%d body=%s", url, resp.StatusCode, wantStatus, body)
}
if out != nil {
must(t, json.NewDecoder(resp.Body).Decode(out), "decode response from "+url)
}
}
// --- DB helpers ---
func insertHost(t *testing.T, ctx context.Context, pool *pgxpool.Pool) uuid.UUID {
t.Helper()
var id uuid.UUID
err := pool.QueryRow(ctx,
`INSERT INTO users (email, name) VALUES ($1, $2) RETURNING id`,
fmt.Sprintf("test-%d@guestguard.test", time.Now().UnixNano()),
"Integration Host",
).Scan(&id)
must(t, err, "insert host")
return id
}
func waitForFlagged(t *testing.T, ctx context.Context, pool *pgxpool.Pool, accessLogID uuid.UUID, wantScore int, wantFlagged bool) {
t.Helper()
deadline := time.Now().Add(10 * time.Second)
for time.Now().Before(deadline) {
var (
score *int
flagged bool
)
err := pool.QueryRow(ctx,
`SELECT risk_score, flagged FROM access_logs WHERE id = $1`,
accessLogID,
).Scan(&score, &flagged)
if err == nil && score != nil && *score == wantScore && flagged == wantFlagged {
return
}
time.Sleep(100 * time.Millisecond)
}
t.Fatalf("access_log %s did not reach score=%d flagged=%v within 10s", accessLogID, wantScore, wantFlagged)
}
func assertTokenUsed(t *testing.T, ctx context.Context, pool *pgxpool.Pool, guestID uuid.UUID) {
t.Helper()
var status string
err := pool.QueryRow(ctx,
`SELECT status FROM tokens WHERE guest_id = $1`, guestID,
).Scan(&status)
must(t, err, "load token status")
if status != "used" {
t.Fatalf("expected token status=used for guest %s, got %s", guestID, status)
}
}
func assertTokenStatus(t *testing.T, ctx context.Context, pool *pgxpool.Pool, guestID uuid.UUID, want string) {
t.Helper()
var status string
err := pool.QueryRow(ctx,
`SELECT status FROM tokens WHERE guest_id = $1`, guestID,
).Scan(&status)
must(t, err, "load token status")
if status != want {
t.Fatalf("expected token status=%s for guest %s, got %s", want, guestID, status)
}
}
func assertNoRSVP(t *testing.T, ctx context.Context, pool *pgxpool.Pool, guestID uuid.UUID) {
t.Helper()
var n int
err := pool.QueryRow(ctx,
`SELECT count(*) FROM rsvps WHERE guest_id = $1`, guestID,
).Scan(&n)
must(t, err, "count rsvps")
if n != 0 {
t.Fatalf("expected 0 rsvps for blocked guest %s, got %d", guestID, n)
}
}
// --- NATS helpers ---
func mustPublishFraudScored(t *testing.T, ctx context.Context, c *natspub.Client, evt natspub.FraudScored) {
t.Helper()
body, _ := json.Marshal(evt)
_, err := c.JetStream().Publish(ctx, natspub.SubjectFraudScored, body)
must(t, err, "publish fraud.scored")
}
func subscribeRSVPConfirmed(t *testing.T, ctx context.Context, c *natspub.Client) *atomic.Int32 {
t.Helper()
cons, err := c.JetStream().CreateOrUpdateConsumer(ctx, natspub.StreamName, jetstream.ConsumerConfig{
Durable: "test-rsvp-confirmed",
Name: "test-rsvp-confirmed",
FilterSubject: natspub.SubjectRSVPConfirmed,
AckPolicy: jetstream.AckExplicitPolicy,
DeliverPolicy: jetstream.DeliverAllPolicy,
})
must(t, err, "create rsvp consumer")
var counter atomic.Int32
cc, err := cons.Consume(func(msg jetstream.Msg) {
counter.Add(1)
_ = msg.Ack()
})
must(t, err, "consume rsvp.confirmed")
t.Cleanup(cc.Stop)
return &counter
}
func waitForRSVPConfirmed(t *testing.T, counter *atomic.Int32, want int32) {
t.Helper()
deadline := time.Now().Add(5 * time.Second)
for time.Now().Before(deadline) {
if counter.Load() >= want {
return
}
time.Sleep(50 * time.Millisecond)
}
t.Fatalf("expected %d rsvp.confirmed events, saw %d", want, counter.Load())
}
// --- misc ---
func must(t *testing.T, err error, op string) {
t.Helper()
if err != nil {
t.Fatalf("%s: %v", op, err)
}
}
Reference in New Issue View Git Blame Copy Permalink