Files
sure/test/models/provider/up_test.rb
Jake dc2a565b6a feat(up): add Up Bank (AU) provider integration (#2391)
* feat(up): add Up Bank (AU) provider integration

Adds Up Bank as a per-family, token-based bank sync provider, modelled on
the existing Akahu integration. Up uses a JSON:API REST API with a personal
access token (Bearer), cursor pagination via links.next, and returns both
HELD (pending) and SETTLED transactions from one endpoint.

New:
- Provider::Up client (JSON:API unwrap, links.next pagination, retries,
  typed errors, /util/ping) + Provider::UpAdapter (Factory-registered,
  Depository + Loan).
- UpItem / UpAccount models with Provided, Unlinking, Syncer,
  SyncCompleteEvent, Importer, Processor, Transactions::Processor, and
  UpEntry::Processor (amount sign flip, HELD->pending, foreignAmount FX,
  merchant from description, stale-pending pruning).
- Family::UpConnectable, UpItemsController, routes, settings panel + connect
  flow views, accounts index wiring, initializer, en locale, and model tests.

Core wiring:
- "up" added to Transaction::PENDING_PROVIDERS, the three pending-match SQL
  blocks in Account::ProviderImportAdapter, Provider::Metadata::REGISTRY,
  ProviderMerchant/DataEnrichment source enums, ProviderConnectionStatus,
  settings provider panels, and financial data reset.

Migration create_up_items_and_accounts must be run before use. No external
API endpoints added (no OpenAPI changes).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(up): dump up tables to schema and make since filter TZ-safe

The feature commit added the up_items/up_accounts migration but never
re-dumped db/schema.rb, leaving the schema version and tables stale.
Add the two table definitions and foreign keys and bump the schema
version so a fresh DB load matches the migration.

Also format a bare Date `since` as UTC midnight instead of the server's
local zone, so `filter[since]` is deterministic regardless of where the
app runs (previously shifted by the local UTC offset).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(up): address code review feedback

Behavior/correctness:
- Persist skipped accounts via a new up_accounts.ignored flag and a
  needs_setup scope, so skipped accounts stop resurfacing as "needs
  setup" on every sync. Linking clears the flag.
- destroy now checks unlink_all! per-account results and aborts deletion
  (alert) if any unlink failed, instead of swallowing failures.
- render_provider_panel_error redirect uses :see_other (was an invalid
  4xx redirect status).
- Up provider adapter falls back to item institution name/url when
  institution_metadata is absent (early return previously blocked it).

Resilience/security:
- fetch_all_resources guards against an API repeating the same
  links.next cursor (Set#add?), preventing infinite pagination.
- HTTP client validates absolute URLs (from links.next) against Up's
  HTTPS host before sending the bearer token, preventing credential
  leakage to untrusted hosts.

Diagnostics:
- Route provider sync/import failures through DebugLogEntry.capture
  (controller, UpItem, syncer, unlinking) with family/account context.
  Low-level HTTP client and currency-normalization warnings keep
  Rails.logger to match existing provider conventions.

Data integrity:
- up_accounts.name and currency are NOT NULL (align with model presence
  validations); account_id stays nullable (allow_nil uniqueness).

Forms:
- select_existing_account radio is required; controller guards a blank/
  unknown up_account_id with a friendly alert instead of RecordNotFound.

Tests:
- Add UpAccount needs_setup scope test, pagination loop guard test,
  untrusted-host rejection test; tighten filter[since] assertion to the
  exact UTC timestamp.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(up): address second-round review feedback

- Capture sync/import failures via DebugLogEntry so swallowed errors in
  account/transaction fetching and transaction processing surface in
  /settings/debug instead of only Rails.logger.
- Gate UP_DEBUG_RAW raw payload dump to local envs to avoid leaking PII
  (merchant names, amounts, account IDs) in managed/production logs.
- Collapse linked/unlinked/total account counts into one memoized query
  instead of 3 separate COUNTs per rendered item.
- Rename "Set Up Up Accounts" locale title to "Link Up Accounts".

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs(up): add method docstrings and align failed_result keys

Add docstrings to all Up provider source files (controller, models,
providers, concerns) to satisfy the 80% docstring coverage threshold.

Third-round review: failed_result now mirrors import's result shape
(accounts_updated/created/failed, transactions_imported/failed) instead
of the stale accounts_imported key, so failure results stay consistent.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 20:33:09 +02:00

161 lines
5.5 KiB
Ruby

require "test_helper"
class Provider::UpTest < ActiveSupport::TestCase
FakeResponse = Struct.new(:code, :body, :message, keyword_init: true)
test "fetches paginated account transactions following JSON:API links.next with bearer auth" do
next_url = "https://api.up.com.au/api/v1/accounts/acc_123/transactions?page%5Bafter%5D=cursor2"
responses = [
FakeResponse.new(
code: 200,
message: "OK",
body: {
data: [ { type: "transactions", id: "tx_1", attributes: { status: "SETTLED" }, relationships: { account: { data: { id: "acc_123" } } } } ],
links: { prev: nil, next: next_url }
}.to_json
),
FakeResponse.new(
code: 200,
message: "OK",
body: {
data: [ { type: "transactions", id: "tx_2", attributes: { status: "HELD" }, relationships: { account: { data: { id: "acc_123" } } } } ],
links: { prev: nil, next: nil }
}.to_json
)
]
requests = []
Provider::Up.stub(:get, ->(url, headers:, query: nil) {
requests << { url: url, headers: headers, query: query }
responses.shift
}) do
client = Provider::Up.new("up-access-token")
transactions = client.get_account_transactions(
account_id: "acc_123",
since: Date.new(2026, 1, 1)
)
assert_equal [ "tx_1", "tx_2" ], transactions.map { |tx| tx[:id] }
assert_equal [ "acc_123", "acc_123" ], transactions.map { |tx| tx[:account_id] }
assert_equal "SETTLED", transactions.first[:status]
end
assert_equal 2, requests.size
assert_match "/accounts/acc_123/transactions", requests.first[:url]
assert_equal "Bearer up-access-token", requests.first[:headers]["Authorization"]
assert_equal "2026-01-01T00:00:00Z", requests.first[:query]["filter[since]"]
assert_equal 100, requests.first[:query]["page[size]"]
# Pagination follows the absolute next URL with no extra query params.
assert_equal next_url, requests.second[:url]
assert_nil requests.second[:query]
end
test "stops paginating when the API repeats the same next cursor" do
repeating_url = "https://api.up.com.au/api/v1/accounts/acc_123/transactions?page%5Bafter%5D=loop"
page = FakeResponse.new(
code: 200,
message: "OK",
body: {
data: [ { type: "transactions", id: "tx_1", attributes: { status: "SETTLED" }, relationships: { account: { data: { id: "acc_123" } } } } ],
links: { prev: nil, next: repeating_url }
}.to_json
)
request_count = 0
Provider::Up.stub(:get, ->(url, headers:, query: nil) {
request_count += 1
raise "infinite pagination loop" if request_count > 5
page
}) do
client = Provider::Up.new("up-access-token")
transactions = client.get_account_transactions(account_id: "acc_123")
# First request + one follow of the repeated cursor, then the guard stops.
assert_equal 2, request_count
assert_equal [ "tx_1", "tx_1" ], transactions.map { |tx| tx[:id] }
end
end
test "refuses to follow a pagination link pointing at a non-Up host" do
evil_url = "https://evil.example.com/api/v1/accounts/acc_123/transactions?page%5Bafter%5D=x"
first_page = FakeResponse.new(
code: 200,
message: "OK",
body: {
data: [ { type: "transactions", id: "tx_1", attributes: { status: "SETTLED" }, relationships: { account: { data: { id: "acc_123" } } } } ],
links: { prev: nil, next: evil_url }
}.to_json
)
requested_urls = []
Provider::Up.stub(:get, ->(url, headers:, query: nil) {
requested_urls << url
first_page
}) do
client = Provider::Up.new("up-access-token")
error = assert_raises(Provider::Up::UpError) do
client.get_account_transactions(account_id: "acc_123")
end
assert_equal :invalid_url, error.error_type
end
# The bearer token must never be sent to the foreign host.
assert_not_includes requested_urls, evil_url
end
test "flattens JSON:API account resources" do
response = FakeResponse.new(
code: 200,
message: "OK",
body: {
data: [ {
type: "accounts",
id: "acc_123",
attributes: {
displayName: "Spending",
accountType: "TRANSACTIONAL",
ownershipType: "INDIVIDUAL",
balance: { currencyCode: "AUD", value: "123.45", valueInBaseUnits: 12345 }
}
} ],
links: { prev: nil, next: nil }
}.to_json
)
Provider::Up.stub(:get, ->(_url, headers:, query: nil) { response }) do
accounts = Provider::Up.new("up-access-token").get_accounts
assert_equal 1, accounts.size
account = accounts.first
assert_equal "acc_123", account[:id]
assert_equal "Spending", account[:displayName]
assert_equal "TRANSACTIONAL", account[:accountType]
assert_equal "AUD", account.dig(:balance, :currencyCode)
assert_equal "123.45", account.dig(:balance, :value)
end
end
test "raises typed errors for unauthorized responses" do
response = FakeResponse.new(code: 401, message: "Unauthorized", body: "{}")
Provider::Up.stub(:get, ->(_url, headers:, query: nil) { response }) do
error = assert_raises Provider::Up::UpError do
Provider::Up.new("invalid-token").get_accounts
end
assert_equal :unauthorized, error.error_type
end
end
test "raises configuration error when token blank" do
error = assert_raises Provider::Up::UpError do
Provider::Up.new("")
end
assert_equal :configuration_error, error.error_type
end
end