2020-01-11 13:58:02 +00:00
|
|
|
<?php
|
|
|
|
|
|
2020-01-12 06:35:37 +00:00
|
|
|
namespace Tests\E2E\Services\Account;
|
2020-01-11 13:58:02 +00:00
|
|
|
|
2024-03-06 17:34:21 +00:00
|
|
|
use Tests\E2E\Client;
|
2020-01-11 13:58:02 +00:00
|
|
|
use Tests\E2E\Scopes\ProjectConsole;
|
2024-03-06 17:34:21 +00:00
|
|
|
use Tests\E2E\Scopes\Scope;
|
2020-01-11 13:58:02 +00:00
|
|
|
use Tests\E2E\Scopes\SideClient;
|
2024-02-21 12:29:28 +00:00
|
|
|
use Utopia\Database\Helpers\ID;
|
2020-01-11 13:58:02 +00:00
|
|
|
|
|
|
|
|
class AccountConsoleClientTest extends Scope
|
|
|
|
|
{
|
2023-01-11 12:39:56 +00:00
|
|
|
use AccountBase;
|
2020-01-11 13:58:02 +00:00
|
|
|
use ProjectConsole;
|
|
|
|
|
use SideClient;
|
2024-01-28 03:02:44 +00:00
|
|
|
|
2026-04-05 01:43:05 +00:00
|
|
|
/**
|
|
|
|
|
* Test that account deletion succeeds even with active team memberships.
|
|
|
|
|
* When the user is the sole owner and only member of a team, the team
|
|
|
|
|
* should be cleaned up automatically.
|
|
|
|
|
*/
|
|
|
|
|
public function testDeleteAccountWithMembership(): void
|
2024-01-28 03:02:44 +00:00
|
|
|
{
|
2024-03-06 17:34:21 +00:00
|
|
|
$email = uniqid() . 'user@localhost.test';
|
|
|
|
|
$password = 'password';
|
|
|
|
|
$name = 'User Name';
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/account', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
]), [
|
|
|
|
|
'userId' => ID::unique(),
|
|
|
|
|
'email' => $email,
|
|
|
|
|
'password' => $password,
|
|
|
|
|
'name' => $name,
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals($response['headers']['status-code'], 201);
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/account/sessions/email', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
]), [
|
|
|
|
|
'email' => $email,
|
|
|
|
|
'password' => $password,
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals($response['headers']['status-code'], 201);
|
|
|
|
|
|
|
|
|
|
$session = $response['cookies']['a_session_' . $this->getProject()['$id']];
|
2025-10-21 01:59:30 +00:00
|
|
|
|
2026-04-05 01:43:05 +00:00
|
|
|
// Create team — user becomes sole owner and only member
|
2024-03-06 17:34:21 +00:00
|
|
|
$team = $this->client->call(Client::METHOD_POST, '/teams', [
|
2024-01-28 03:02:44 +00:00
|
|
|
'origin' => 'http://localhost',
|
2024-03-06 17:34:21 +00:00
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
'cookie' => 'a_session_' . $this->getProject()['$id'] . '=' . $session,
|
|
|
|
|
], [
|
2024-01-28 03:02:44 +00:00
|
|
|
'teamId' => 'unique()',
|
|
|
|
|
'name' => 'myteam'
|
2024-03-06 17:34:21 +00:00
|
|
|
]);
|
|
|
|
|
$this->assertEquals($team['headers']['status-code'], 201);
|
|
|
|
|
|
2026-04-05 01:43:05 +00:00
|
|
|
// Account deletion should succeed even with active membership
|
2024-03-06 17:34:21 +00:00
|
|
|
$response = $this->client->call(Client::METHOD_DELETE, '/account', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
'cookie' => 'a_session_' . $this->getProject()['$id'] . '=' . $session,
|
|
|
|
|
]));
|
|
|
|
|
|
2026-04-05 01:43:05 +00:00
|
|
|
$this->assertEquals(204, $response['headers']['status-code']);
|
|
|
|
|
}
|
2024-03-06 17:34:21 +00:00
|
|
|
|
2026-04-05 01:43:05 +00:00
|
|
|
/**
|
|
|
|
|
* Test that account deletion works when the user has no team memberships.
|
|
|
|
|
*/
|
|
|
|
|
public function testDeleteAccountWithoutMembership(): void
|
|
|
|
|
{
|
|
|
|
|
$email = uniqid() . 'user@localhost.test';
|
|
|
|
|
$password = 'password';
|
|
|
|
|
$name = 'User Name';
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/account', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
]), [
|
|
|
|
|
'userId' => ID::unique(),
|
|
|
|
|
'email' => $email,
|
|
|
|
|
'password' => $password,
|
|
|
|
|
'name' => $name,
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals($response['headers']['status-code'], 201);
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/account/sessions/email', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
]), [
|
|
|
|
|
'email' => $email,
|
|
|
|
|
'password' => $password,
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals($response['headers']['status-code'], 201);
|
|
|
|
|
|
|
|
|
|
$session = $response['cookies']['a_session_' . $this->getProject()['$id']];
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_DELETE, '/account', array_merge([
|
2024-03-06 17:34:21 +00:00
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
'cookie' => 'a_session_' . $this->getProject()['$id'] . '=' . $session,
|
|
|
|
|
]));
|
2026-04-05 01:43:05 +00:00
|
|
|
|
|
|
|
|
$this->assertEquals(204, $response['headers']['status-code']);
|
2024-01-28 03:02:44 +00:00
|
|
|
}
|
2025-10-31 12:22:47 +00:00
|
|
|
|
|
|
|
|
public function testSessionAlert(): void
|
|
|
|
|
{
|
|
|
|
|
$email = uniqid() . 'session-alert@appwrite.io';
|
|
|
|
|
$password = 'password123';
|
|
|
|
|
$name = 'Session Alert Tester';
|
|
|
|
|
|
|
|
|
|
// Create a new account
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/account', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
'x-appwrite-dev-key' => $this->getProject()['devKey'] ?? ''
|
|
|
|
|
]), [
|
|
|
|
|
'userId' => ID::unique(),
|
|
|
|
|
'email' => $email,
|
|
|
|
|
'password' => $password,
|
|
|
|
|
'name' => $name,
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(201, $response['headers']['status-code']);
|
|
|
|
|
|
|
|
|
|
// Create first session for the new account
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/account/sessions/email', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
'user-agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36',
|
|
|
|
|
]), [
|
|
|
|
|
'email' => $email,
|
|
|
|
|
'password' => $password,
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(201, $response['headers']['status-code']);
|
|
|
|
|
|
|
|
|
|
// Create second session for the new account
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/account/sessions/email', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
'user-agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36',
|
|
|
|
|
]), [
|
|
|
|
|
'email' => $email,
|
|
|
|
|
'password' => $password,
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Check the alert email
|
2026-01-10 13:33:20 +00:00
|
|
|
$lastEmail = $this->getLastEmailByAddress($email);
|
2025-10-31 12:22:47 +00:00
|
|
|
|
2026-01-10 13:33:20 +00:00
|
|
|
$this->assertNotEmpty($lastEmail, 'Email not found for address: ' . $email);
|
2025-10-31 12:22:47 +00:00
|
|
|
$this->assertStringContainsString('Security alert: new session', $lastEmail['subject']);
|
|
|
|
|
$this->assertStringContainsString($response['body']['ip'], $lastEmail['text']); // IP Address
|
|
|
|
|
$this->assertStringContainsString('Unknown', $lastEmail['text']); // Country
|
|
|
|
|
$this->assertStringContainsString($response['body']['clientName'], $lastEmail['text']); // Client name
|
|
|
|
|
$this->assertStringContainsStringIgnoringCase('Appwrite logo', $lastEmail['html']);
|
|
|
|
|
|
|
|
|
|
// Verify no alert sent in OTP login
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/account/tokens/email', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
]), [
|
|
|
|
|
'userId' => ID::unique(),
|
|
|
|
|
'email' => 'otpuser2@appwrite.io'
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals($response['headers']['status-code'], 201);
|
|
|
|
|
$this->assertNotEmpty($response['body']['$id']);
|
|
|
|
|
$this->assertNotEmpty($response['body']['$createdAt']);
|
|
|
|
|
$this->assertNotEmpty($response['body']['userId']);
|
|
|
|
|
$this->assertNotEmpty($response['body']['expire']);
|
|
|
|
|
$this->assertEmpty($response['body']['secret']);
|
|
|
|
|
$this->assertEmpty($response['body']['phrase']);
|
|
|
|
|
$this->assertStringContainsStringIgnoringCase('New login detected on '. $this->getProject()['name'], $lastEmail['text']);
|
|
|
|
|
|
|
|
|
|
$userId = $response['body']['userId'];
|
|
|
|
|
|
2026-01-10 13:33:20 +00:00
|
|
|
$lastEmail = $this->getLastEmailByAddress('otpuser2@appwrite.io');
|
2025-10-31 12:22:47 +00:00
|
|
|
|
2026-01-10 13:33:20 +00:00
|
|
|
$this->assertNotEmpty($lastEmail, 'Email not found for address: otpuser2@appwrite.io');
|
2025-10-31 12:22:47 +00:00
|
|
|
$this->assertEquals('OTP for ' . $this->getProject()['name'] . ' Login', $lastEmail['subject']);
|
|
|
|
|
|
|
|
|
|
// Find 6 concurrent digits in email text - OTP
|
|
|
|
|
preg_match_all("/\b\d{6}\b/", $lastEmail['text'], $matches);
|
chore: bump PHPStan to level 4 and fix all new errors
Raises `phpstan.neon` level from 3 to 4 and fixes the 549 new errors
that level 4 surfaces across 157 files. Fixes are root-cause — no
`@phpstan-ignore`, no `@var` casts, no baseline entries, no widened
types. A handful of latent bugs were fixed along the way:
- `app/controllers/general.php`: path-traversal guard was negating
`\substr(...)` before the strict comparison (`!\substr(...) === $base`
was always `false === $base`). Rewritten as `\substr(...) !== $base`.
- `src/Appwrite/Platform/Modules/Databases/Http/Databases/Logs/XList.php`
and `.../TablesDB/Logs/XList.php`: were importing the raw Matomo
`DeviceDetector` (whose `getDevice()` returns `?int`) but treating the
result as an array with `deviceName/deviceBrand/deviceModel` keys.
Swapped to `Appwrite\Detector\Detector`, matching the wrapper already
used a few lines below for `$os`/`$client`.
- `src/Appwrite/Platform/Modules/Functions/Workers/Builds.php`: a match
key was checking `$resourceKey === 'functions'` when `$resourceKey`
is `'functionId'|'siteId'` — always false. Switched to the intended
`$resource->getCollection() === 'functions'` check.
- `src/Appwrite/OpenSSL/OpenSSL.php`: `encrypt()` return type tightened
to `string|false` to match `openssl_encrypt`; this lets callers'
`=== false` error handling remain meaningful.
- `app/controllers/api/messaging.php`: removed a dead
`array_key_exists('from', [])` branch in the Msg91 provider (empty
array literal; branch was unreachable).
Large cleanup categories across the 549 fixes:
- Removed redundant `?? default` on array offsets and expressions that
PHPStan now knows are non-nullable.
- Removed unreachable statements (mostly `return;` after `throw` or
`markTestSkipped()`).
- Removed redundant `is_array`/`is_string`/`is_bool`/`instanceof` checks
on already-narrowed types.
- Added `default =>` arms (or throwing arms) to non-exhaustive matches
on `string`/`mixed` input.
- Removed dead `$document === false` branches where method return types
were tightened to non-nullable `Document`.
- Removed unused properties (`$version` on Etsy/Zoom OAuth2, `$paths` on
Installer State, `$source` on MigrationsWorker, `$account2` on two
GraphQL auth tests), unused traits (`ApiVectorsDB`, `DatabaseFixture`),
and an unused `cleanupStaleExecutions` task method.
- Replaced `assertTrue(true)` and redundant `assertIsArray`/`assertIsString`/
`assertNotNull` assertions with `addToAssertionCount(1)` or
`assertNotEmpty` where the runtime type was already known.
2026-04-19 12:01:20 +00:00
|
|
|
$code = $matches[0][0] ?? '';
|
2025-10-31 12:22:47 +00:00
|
|
|
|
|
|
|
|
$this->assertNotEmpty($code);
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/account/sessions/token', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
]), [
|
|
|
|
|
'userId' => $userId,
|
|
|
|
|
'secret' => $code
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(201, $response['headers']['status-code']);
|
|
|
|
|
$this->assertEquals($userId, $response['body']['userId']);
|
|
|
|
|
$this->assertNotEmpty($response['body']['$id']);
|
|
|
|
|
$this->assertNotEmpty($response['body']['expire']);
|
|
|
|
|
$this->assertEmpty($response['body']['secret']);
|
|
|
|
|
|
|
|
|
|
$lastEmailId = $lastEmail['id'];
|
2026-01-10 13:33:20 +00:00
|
|
|
$lastEmail = $this->getLastEmailByAddress('otpuser2@appwrite.io');
|
2025-10-31 12:22:47 +00:00
|
|
|
$this->assertEquals($lastEmailId, $lastEmail['id']);
|
|
|
|
|
}
|
2026-01-02 11:31:03 +00:00
|
|
|
|
|
|
|
|
public function testGetAccountLogs(): void
|
|
|
|
|
{
|
|
|
|
|
$email = uniqid() . 'user@localhost.test';
|
|
|
|
|
$password = 'password';
|
|
|
|
|
$name = 'User Name';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Test for SUCCESS - Create account and session for console project
|
|
|
|
|
*/
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/account', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
]), [
|
|
|
|
|
'userId' => ID::unique(),
|
|
|
|
|
'email' => $email,
|
|
|
|
|
'password' => $password,
|
|
|
|
|
'name' => $name,
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals($response['headers']['status-code'], 201);
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/account/sessions/email', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
]), [
|
|
|
|
|
'email' => $email,
|
|
|
|
|
'password' => $password,
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals($response['headers']['status-code'], 201);
|
|
|
|
|
|
|
|
|
|
$session = $response['cookies']['a_session_' . $this->getProject()['$id']];
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Test for SUCCESS - Get account logs
|
|
|
|
|
*/
|
|
|
|
|
$response = $this->client->call(Client::METHOD_GET, '/account/logs', array_merge([
|
|
|
|
|
'origin' => 'http://localhost',
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
'cookie' => 'a_session_' . $this->getProject()['$id'] . '=' . $session,
|
|
|
|
|
]));
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(200, $response['headers']['status-code']);
|
|
|
|
|
$this->assertIsArray($response['body']['logs']);
|
|
|
|
|
$this->assertNotEmpty($response['body']['logs']);
|
|
|
|
|
$this->assertIsNumeric($response['body']['total']);
|
|
|
|
|
}
|
2022-05-23 14:54:50 +00:00
|
|
|
}
|