feat: harden billing verification and add browse route parity

2026-02-04 08:52:22 +07:00
parent ccec406d6d
commit a4d2031117
20 changed files with 2080 additions and 144 deletions
--- a/app/tests/Feature/ApiV1EndpointsTest.php
+++ b/app/tests/Feature/ApiV1EndpointsTest.php
@@ -38,6 +38,7 @@ class ApiV1EndpointsTest extends TestCase
    public function test_license_verify_returns_ok_when_accept_all_is_enabled(): void
    {
        config()->set('dewemoji.license.accept_all', true);
+        config()->set('dewemoji.billing.mode', 'live');

        $response = $this->postJson('/v1/license/verify', [
            'key' => 'dummy-key',
@@ -53,5 +54,174 @@ class ApiV1EndpointsTest extends TestCase
                'tier' => 'pro',
            ]);
    }
-}

+    public function test_license_verify_returns_401_when_live_and_key_is_not_valid(): void
+    {
+        config()->set('dewemoji.billing.mode', 'live');
+        config()->set('dewemoji.license.accept_all', false);
+        config()->set('dewemoji.license.pro_keys', []);
+        config()->set('dewemoji.billing.providers.gumroad.enabled', false);
+        config()->set('dewemoji.billing.providers.mayar.enabled', false);
+
+        $response = $this->postJson('/v1/license/verify', [
+            'key' => 'not-valid',
+        ]);
+
+        $response
+            ->assertStatus(401)
+            ->assertHeader('X-Dewemoji-Tier', 'free')
+            ->assertJsonPath('ok', false)
+            ->assertJsonPath('error', 'invalid_license')
+            ->assertJsonPath('details.gumroad', 'gumroad_disabled')
+            ->assertJsonPath('details.mayar', 'mayar_disabled');
+    }
+
+    public function test_license_verify_uses_gumroad_stub_key_when_enabled(): void
+    {
+        config()->set('dewemoji.billing.mode', 'live');
+        config()->set('dewemoji.license.accept_all', false);
+        config()->set('dewemoji.license.pro_keys', []);
+        config()->set('dewemoji.billing.providers.gumroad.enabled', true);
+        config()->set('dewemoji.billing.providers.gumroad.test_keys', ['gumroad-dev-key']);
+        config()->set('dewemoji.billing.providers.mayar.enabled', false);
+
+        $response = $this->postJson('/v1/license/verify', [
+            'key' => 'gumroad-dev-key',
+        ]);
+
+        $response
+            ->assertOk()
+            ->assertJsonPath('ok', true)
+            ->assertJsonPath('source', 'gumroad')
+            ->assertJsonPath('plan', 'pro');
+    }
+
+    public function test_emoji_detail_by_slug_endpoint_returns_item(): void
+    {
+        config()->set('dewemoji.billing.mode', 'sandbox');
+
+        $response = $this->getJson('/v1/emoji/grinning-face');
+
+        $response
+            ->assertOk()
+            ->assertJsonPath('slug', 'grinning-face')
+            ->assertJsonPath('name', 'grinning face');
+    }
+
+    public function test_emoji_detail_by_query_slug_endpoint_returns_item(): void
+    {
+        $response = $this->getJson('/v1/emoji?slug=thumbs-up');
+
+        $response
+            ->assertOk()
+            ->assertJsonPath('slug', 'thumbs-up')
+            ->assertJsonPath('supports_skin_tone', true);
+    }
+
+    public function test_license_activate_and_deactivate_in_sandbox_mode(): void
+    {
+        config()->set('dewemoji.billing.mode', 'sandbox');
+        config()->set('dewemoji.license.max_devices', 3);
+
+        $activate = $this->postJson('/v1/license/activate', [
+            'key' => 'any-test-key',
+            'email' => 'dev@dewemoji.test',
+            'product' => 'chrome',
+            'device_id' => 'device-1',
+        ]);
+
+        $activate
+            ->assertOk()
+            ->assertJsonPath('ok', true)
+            ->assertJsonPath('pro', true)
+            ->assertJsonPath('product', 'chrome')
+            ->assertJsonPath('device_id', 'device-1');
+
+        $deactivate = $this->postJson('/v1/license/deactivate', [
+            'key' => 'any-test-key',
+            'product' => 'chrome',
+            'device_id' => 'device-1',
+        ]);
+
+        $deactivate
+            ->assertOk()
+            ->assertJsonPath('ok', true)
+            ->assertJsonPath('product', 'chrome')
+            ->assertJsonPath('device_id', 'device-1');
+    }
+
+    public function test_free_daily_limit_returns_429_after_cap(): void
+    {
+        config()->set('dewemoji.billing.mode', 'live');
+        config()->set('dewemoji.license.accept_all', false);
+        config()->set('dewemoji.license.pro_keys', []);
+        config()->set('dewemoji.free_daily_limit', 1);
+
+        $first = $this->getJson('/v1/emojis?q=happy&page=1&limit=10');
+        $first->assertOk()->assertJsonPath('usage.used', 1);
+
+        $second = $this->getJson('/v1/emojis?q=good&page=1&limit=10');
+        $second
+            ->assertStatus(429)
+            ->assertJsonPath('error', 'daily_limit_reached');
+    }
+
+    public function test_emojis_endpoint_returns_pro_tier_when_live_key_is_whitelisted(): void
+    {
+        config()->set('dewemoji.billing.mode', 'live');
+        config()->set('dewemoji.license.accept_all', false);
+        config()->set('dewemoji.license.pro_keys', ['pro-key-123']);
+        config()->set('dewemoji.billing.providers.gumroad.enabled', false);
+        config()->set('dewemoji.billing.providers.mayar.enabled', false);
+
+        $response = $this->getJson('/v1/emojis?q=grinning&key=pro-key-123');
+
+        $response
+            ->assertOk()
+            ->assertHeader('X-Dewemoji-Tier', 'pro')
+            ->assertJsonPath('total', 1);
+    }
+
+    public function test_emojis_endpoint_accepts_authorization_bearer_key(): void
+    {
+        config()->set('dewemoji.billing.mode', 'live');
+        config()->set('dewemoji.license.accept_all', false);
+        config()->set('dewemoji.license.pro_keys', ['bearer-pro-key']);
+
+        $response = $this
+            ->withHeaders(['Authorization' => 'Bearer bearer-pro-key'])
+            ->getJson('/v1/emojis?q=grinning');
+
+        $response
+            ->assertOk()
+            ->assertHeader('X-Dewemoji-Tier', 'pro');
+    }
+
+    public function test_emojis_endpoint_accepts_x_license_key_header(): void
+    {
+        config()->set('dewemoji.billing.mode', 'live');
+        config()->set('dewemoji.license.accept_all', false);
+        config()->set('dewemoji.license.pro_keys', ['header-pro-key']);
+
+        $response = $this
+            ->withHeaders(['X-License-Key' => 'header-pro-key'])
+            ->getJson('/v1/emojis?q=grinning');
+
+        $response
+            ->assertOk()
+            ->assertHeader('X-Dewemoji-Tier', 'pro');
+    }
+
+    public function test_metrics_endpoint_requires_token_or_allowed_ip(): void
+    {
+        config()->set('dewemoji.metrics.enabled', true);
+        config()->set('dewemoji.metrics.token', 'secret-token');
+        config()->set('dewemoji.metrics.allow_ips', []);
+
+        $forbidden = $this->getJson('/v1/metrics');
+        $forbidden->assertStatus(403);
+
+        $allowed = $this->getJson('/v1/metrics?token=secret-token');
+        $allowed->assertOk()->assertJsonPath('ok', true);
+    }
+}
--- a/app/tests/Feature/SitePagesTest.php
+++ b/app/tests/Feature/SitePagesTest.php
@@ -16,6 +16,9 @@ class SitePagesTest extends TestCase
    public function test_core_pages_are_available(): void
    {
        $this->get('/')->assertOk();
+        $this->get('/browse')->assertOk();
+        $this->get('/animals')->assertOk();
+        $this->get('/animals/animal-mammal')->assertOk();
        $this->get('/api-docs')->assertOk();
        $this->get('/pricing')->assertOk();
        $this->get('/privacy')->assertOk();
@@ -34,4 +37,3 @@ class SitePagesTest extends TestCase
        $this->get('/emoji/unknown-slug')->assertNotFound();
    }
 }
-