mirror of
https://github.com/we-promise/sure.git
synced 2026-07-15 06:15:20 +00:00
* feat(up): add Up Bank (AU) provider integration Adds Up Bank as a per-family, token-based bank sync provider, modelled on the existing Akahu integration. Up uses a JSON:API REST API with a personal access token (Bearer), cursor pagination via links.next, and returns both HELD (pending) and SETTLED transactions from one endpoint. New: - Provider::Up client (JSON:API unwrap, links.next pagination, retries, typed errors, /util/ping) + Provider::UpAdapter (Factory-registered, Depository + Loan). - UpItem / UpAccount models with Provided, Unlinking, Syncer, SyncCompleteEvent, Importer, Processor, Transactions::Processor, and UpEntry::Processor (amount sign flip, HELD->pending, foreignAmount FX, merchant from description, stale-pending pruning). - Family::UpConnectable, UpItemsController, routes, settings panel + connect flow views, accounts index wiring, initializer, en locale, and model tests. Core wiring: - "up" added to Transaction::PENDING_PROVIDERS, the three pending-match SQL blocks in Account::ProviderImportAdapter, Provider::Metadata::REGISTRY, ProviderMerchant/DataEnrichment source enums, ProviderConnectionStatus, settings provider panels, and financial data reset. Migration create_up_items_and_accounts must be run before use. No external API endpoints added (no OpenAPI changes). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(up): dump up tables to schema and make since filter TZ-safe The feature commit added the up_items/up_accounts migration but never re-dumped db/schema.rb, leaving the schema version and tables stale. Add the two table definitions and foreign keys and bump the schema version so a fresh DB load matches the migration. Also format a bare Date `since` as UTC midnight instead of the server's local zone, so `filter[since]` is deterministic regardless of where the app runs (previously shifted by the local UTC offset). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(up): address code review feedback Behavior/correctness: - Persist skipped accounts via a new up_accounts.ignored flag and a needs_setup scope, so skipped accounts stop resurfacing as "needs setup" on every sync. Linking clears the flag. - destroy now checks unlink_all! per-account results and aborts deletion (alert) if any unlink failed, instead of swallowing failures. - render_provider_panel_error redirect uses :see_other (was an invalid 4xx redirect status). - Up provider adapter falls back to item institution name/url when institution_metadata is absent (early return previously blocked it). Resilience/security: - fetch_all_resources guards against an API repeating the same links.next cursor (Set#add?), preventing infinite pagination. - HTTP client validates absolute URLs (from links.next) against Up's HTTPS host before sending the bearer token, preventing credential leakage to untrusted hosts. Diagnostics: - Route provider sync/import failures through DebugLogEntry.capture (controller, UpItem, syncer, unlinking) with family/account context. Low-level HTTP client and currency-normalization warnings keep Rails.logger to match existing provider conventions. Data integrity: - up_accounts.name and currency are NOT NULL (align with model presence validations); account_id stays nullable (allow_nil uniqueness). Forms: - select_existing_account radio is required; controller guards a blank/ unknown up_account_id with a friendly alert instead of RecordNotFound. Tests: - Add UpAccount needs_setup scope test, pagination loop guard test, untrusted-host rejection test; tighten filter[since] assertion to the exact UTC timestamp. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(up): address second-round review feedback - Capture sync/import failures via DebugLogEntry so swallowed errors in account/transaction fetching and transaction processing surface in /settings/debug instead of only Rails.logger. - Gate UP_DEBUG_RAW raw payload dump to local envs to avoid leaking PII (merchant names, amounts, account IDs) in managed/production logs. - Collapse linked/unlinked/total account counts into one memoized query instead of 3 separate COUNTs per rendered item. - Rename "Set Up Up Accounts" locale title to "Link Up Accounts". Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs(up): add method docstrings and align failed_result keys Add docstrings to all Up provider source files (controller, models, providers, concerns) to satisfy the 80% docstring coverage threshold. Third-round review: failed_result now mirrors import's result shape (accounts_updated/created/failed, transactions_imported/failed) instead of the stale accounts_imported key, so failure results stay consistent. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
161 lines
5.5 KiB
Ruby
161 lines
5.5 KiB
Ruby
require "test_helper"
|
|
|
|
class Provider::UpTest < ActiveSupport::TestCase
|
|
FakeResponse = Struct.new(:code, :body, :message, keyword_init: true)
|
|
|
|
test "fetches paginated account transactions following JSON:API links.next with bearer auth" do
|
|
next_url = "https://api.up.com.au/api/v1/accounts/acc_123/transactions?page%5Bafter%5D=cursor2"
|
|
responses = [
|
|
FakeResponse.new(
|
|
code: 200,
|
|
message: "OK",
|
|
body: {
|
|
data: [ { type: "transactions", id: "tx_1", attributes: { status: "SETTLED" }, relationships: { account: { data: { id: "acc_123" } } } } ],
|
|
links: { prev: nil, next: next_url }
|
|
}.to_json
|
|
),
|
|
FakeResponse.new(
|
|
code: 200,
|
|
message: "OK",
|
|
body: {
|
|
data: [ { type: "transactions", id: "tx_2", attributes: { status: "HELD" }, relationships: { account: { data: { id: "acc_123" } } } } ],
|
|
links: { prev: nil, next: nil }
|
|
}.to_json
|
|
)
|
|
]
|
|
requests = []
|
|
|
|
Provider::Up.stub(:get, ->(url, headers:, query: nil) {
|
|
requests << { url: url, headers: headers, query: query }
|
|
responses.shift
|
|
}) do
|
|
client = Provider::Up.new("up-access-token")
|
|
|
|
transactions = client.get_account_transactions(
|
|
account_id: "acc_123",
|
|
since: Date.new(2026, 1, 1)
|
|
)
|
|
|
|
assert_equal [ "tx_1", "tx_2" ], transactions.map { |tx| tx[:id] }
|
|
assert_equal [ "acc_123", "acc_123" ], transactions.map { |tx| tx[:account_id] }
|
|
assert_equal "SETTLED", transactions.first[:status]
|
|
end
|
|
|
|
assert_equal 2, requests.size
|
|
assert_match "/accounts/acc_123/transactions", requests.first[:url]
|
|
assert_equal "Bearer up-access-token", requests.first[:headers]["Authorization"]
|
|
assert_equal "2026-01-01T00:00:00Z", requests.first[:query]["filter[since]"]
|
|
assert_equal 100, requests.first[:query]["page[size]"]
|
|
# Pagination follows the absolute next URL with no extra query params.
|
|
assert_equal next_url, requests.second[:url]
|
|
assert_nil requests.second[:query]
|
|
end
|
|
|
|
test "stops paginating when the API repeats the same next cursor" do
|
|
repeating_url = "https://api.up.com.au/api/v1/accounts/acc_123/transactions?page%5Bafter%5D=loop"
|
|
page = FakeResponse.new(
|
|
code: 200,
|
|
message: "OK",
|
|
body: {
|
|
data: [ { type: "transactions", id: "tx_1", attributes: { status: "SETTLED" }, relationships: { account: { data: { id: "acc_123" } } } } ],
|
|
links: { prev: nil, next: repeating_url }
|
|
}.to_json
|
|
)
|
|
request_count = 0
|
|
|
|
Provider::Up.stub(:get, ->(url, headers:, query: nil) {
|
|
request_count += 1
|
|
raise "infinite pagination loop" if request_count > 5
|
|
|
|
page
|
|
}) do
|
|
client = Provider::Up.new("up-access-token")
|
|
transactions = client.get_account_transactions(account_id: "acc_123")
|
|
|
|
# First request + one follow of the repeated cursor, then the guard stops.
|
|
assert_equal 2, request_count
|
|
assert_equal [ "tx_1", "tx_1" ], transactions.map { |tx| tx[:id] }
|
|
end
|
|
end
|
|
|
|
test "refuses to follow a pagination link pointing at a non-Up host" do
|
|
evil_url = "https://evil.example.com/api/v1/accounts/acc_123/transactions?page%5Bafter%5D=x"
|
|
first_page = FakeResponse.new(
|
|
code: 200,
|
|
message: "OK",
|
|
body: {
|
|
data: [ { type: "transactions", id: "tx_1", attributes: { status: "SETTLED" }, relationships: { account: { data: { id: "acc_123" } } } } ],
|
|
links: { prev: nil, next: evil_url }
|
|
}.to_json
|
|
)
|
|
requested_urls = []
|
|
|
|
Provider::Up.stub(:get, ->(url, headers:, query: nil) {
|
|
requested_urls << url
|
|
first_page
|
|
}) do
|
|
client = Provider::Up.new("up-access-token")
|
|
|
|
error = assert_raises(Provider::Up::UpError) do
|
|
client.get_account_transactions(account_id: "acc_123")
|
|
end
|
|
assert_equal :invalid_url, error.error_type
|
|
end
|
|
|
|
# The bearer token must never be sent to the foreign host.
|
|
assert_not_includes requested_urls, evil_url
|
|
end
|
|
|
|
test "flattens JSON:API account resources" do
|
|
response = FakeResponse.new(
|
|
code: 200,
|
|
message: "OK",
|
|
body: {
|
|
data: [ {
|
|
type: "accounts",
|
|
id: "acc_123",
|
|
attributes: {
|
|
displayName: "Spending",
|
|
accountType: "TRANSACTIONAL",
|
|
ownershipType: "INDIVIDUAL",
|
|
balance: { currencyCode: "AUD", value: "123.45", valueInBaseUnits: 12345 }
|
|
}
|
|
} ],
|
|
links: { prev: nil, next: nil }
|
|
}.to_json
|
|
)
|
|
|
|
Provider::Up.stub(:get, ->(_url, headers:, query: nil) { response }) do
|
|
accounts = Provider::Up.new("up-access-token").get_accounts
|
|
|
|
assert_equal 1, accounts.size
|
|
account = accounts.first
|
|
assert_equal "acc_123", account[:id]
|
|
assert_equal "Spending", account[:displayName]
|
|
assert_equal "TRANSACTIONAL", account[:accountType]
|
|
assert_equal "AUD", account.dig(:balance, :currencyCode)
|
|
assert_equal "123.45", account.dig(:balance, :value)
|
|
end
|
|
end
|
|
|
|
test "raises typed errors for unauthorized responses" do
|
|
response = FakeResponse.new(code: 401, message: "Unauthorized", body: "{}")
|
|
|
|
Provider::Up.stub(:get, ->(_url, headers:, query: nil) { response }) do
|
|
error = assert_raises Provider::Up::UpError do
|
|
Provider::Up.new("invalid-token").get_accounts
|
|
end
|
|
|
|
assert_equal :unauthorized, error.error_type
|
|
end
|
|
end
|
|
|
|
test "raises configuration error when token blank" do
|
|
error = assert_raises Provider::Up::UpError do
|
|
Provider::Up.new("")
|
|
end
|
|
|
|
assert_equal :configuration_error, error.error_type
|
|
end
|
|
end
|