kin: BATON-002 [Research] UX Designer

tests/test_webhook.py

@@ -0,0 +1,115 @@
+"""
+Tests for POST /api/webhook/telegram.
+"""
+from __future__ import annotations
+
+import os
+
+os.environ.setdefault("BOT_TOKEN", "test-bot-token")
+os.environ.setdefault("CHAT_ID", "-1001234567890")
+os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
+os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
+os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
+
+import pytest
+from tests.conftest import make_app_client
+
+CORRECT_SECRET = "test-webhook-secret"
+
+_SAMPLE_UPDATE = {
+    "update_id": 100,
+    "message": {
+        "message_id": 1,
+        "from": {"id": 12345678, "first_name": "Test", "last_name": "User"},
+        "chat": {"id": 12345678, "type": "private"},
+        "text": "/start",
+    },
+}
+
+
+@pytest.mark.asyncio
+async def test_webhook_valid_secret_returns_200():
+    """Correct X-Telegram-Bot-Api-Secret-Token → 200."""
+    async with make_app_client() as client:
+        resp = await client.post(
+            "/api/webhook/telegram",
+            json=_SAMPLE_UPDATE,
+            headers={"X-Telegram-Bot-Api-Secret-Token": CORRECT_SECRET},
+        )
+    assert resp.status_code == 200
+    assert resp.json() == {"ok": True}
+
+
+@pytest.mark.asyncio
+async def test_webhook_missing_secret_returns_403():
+    """Request without the secret header must return 403."""
+    async with make_app_client() as client:
+        resp = await client.post(
+            "/api/webhook/telegram",
+            json=_SAMPLE_UPDATE,
+        )
+    assert resp.status_code == 403
+
+
+@pytest.mark.asyncio
+async def test_webhook_wrong_secret_returns_403():
+    """Request with a wrong secret header must return 403."""
+    async with make_app_client() as client:
+        resp = await client.post(
+            "/api/webhook/telegram",
+            json=_SAMPLE_UPDATE,
+            headers={"X-Telegram-Bot-Api-Secret-Token": "wrong-secret"},
+        )
+    assert resp.status_code == 403
+
+
+@pytest.mark.asyncio
+async def test_webhook_start_command_registers_user():
+    """A /start command in the update should not raise and must return 200."""
+    async with make_app_client() as client:
+        resp = await client.post(
+            "/api/webhook/telegram",
+            json={
+                "update_id": 101,
+                "message": {
+                    "message_id": 2,
+                    "from": {"id": 99887766, "first_name": "Frank", "last_name": ""},
+                    "chat": {"id": 99887766, "type": "private"},
+                    "text": "/start",
+                },
+            },
+            headers={"X-Telegram-Bot-Api-Secret-Token": CORRECT_SECRET},
+        )
+    assert resp.status_code == 200
+
+
+@pytest.mark.asyncio
+async def test_webhook_non_start_command_returns_200():
+    """Any update without /start should still return 200."""
+    async with make_app_client() as client:
+        resp = await client.post(
+            "/api/webhook/telegram",
+            json={
+                "update_id": 102,
+                "message": {
+                    "message_id": 3,
+                    "from": {"id": 11111111, "first_name": "Anon"},
+                    "chat": {"id": 11111111, "type": "private"},
+                    "text": "hello",
+                },
+            },
+            headers={"X-Telegram-Bot-Api-Secret-Token": CORRECT_SECRET},
+        )
+    assert resp.status_code == 200
+
+
+@pytest.mark.asyncio
+async def test_webhook_empty_body_with_valid_secret_returns_200():
+    """An update with no message field should still return 200."""
+    async with make_app_client() as client:
+        resp = await client.post(
+            "/api/webhook/telegram",
+            json={"update_id": 103},
+            headers={"X-Telegram-Bot-Api-Secret-Token": CORRECT_SECRET},
+        )
+    assert resp.status_code == 200