Skip to content
Merged

Test #696

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
f99277e
feat(measurement-jobs): free-tier card gate (setup mode) + instant ba…
sweetmantech Jun 16, 2026
158a1d4
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 16, 2026
5fa5e3a
fix(songstats-backfill): backoff on 429 + defer instead of churn (cha…
sweetmantech Jun 16, 2026
1e9deac
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 16, 2026
5f45946
refactor(songstats): remove local quota ledger + budget gate (chat#17…
sweetmantech Jun 16, 2026
5472795
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 16, 2026
f24d4c7
feat: POST /api/catalogs (create + materialize from valuation snapsho…
sweetmantech Jun 18, 2026
ace0b01
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 18, 2026
a520a1d
fix: LEFT-join artists in catalog-songs read (materialized tracks wer…
sweetmantech Jun 18, 2026
76b5739
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 18, 2026
709ea0c
feat: add X (Twitter) + LinkedIn to the Composio connector whitelist …
sweetmantech Jun 18, 2026
8a3c3cb
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 18, 2026
66cc2fe
chore: remove unused ALLOWED_ARTIST_CONNECTORS from api (chat#1793) (…
sweetmantech Jun 18, 2026
79c22da
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 18, 2026
6fc10cc
fix: enrich valuation-captured songs (artists + notes) so they render…
sweetmantech Jun 18, 2026
0e42d02
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 18, 2026
2fa7029
fix(tasks): let admins fetch any task by id alone (cross-account read…
sweetmantech Jun 19, 2026
bd2ae10
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 19, 2026
cdb34d0
feat(connectors): POST /api/connectors/files — stage images for Linke…
sweetmantech Jun 20, 2026
acae4d8
Merge main into test (sync #692 Songstats work)
sweetmantech Jun 23, 2026
2a7af68
feat(artists): account_id override for DELETE /api/artists/{id} (#693)
sweetmantech Jun 23, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 52 additions & 1 deletion lib/artists/__tests__/validateDeleteArtistRequest.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ describe("validateDeleteArtistRequest", () => {
const result = await validateDeleteArtistRequest(request, validArtistId);

expect(result).toBe(authError);
expect(validateAuthContext).toHaveBeenCalledWith(request);
expect(validateAuthContext).toHaveBeenCalledWith(request, { accountId: undefined });
});

it("returns 404 when the artist does not exist", async () => {
Expand Down Expand Up @@ -125,4 +125,55 @@ describe("validateDeleteArtistRequest", () => {
requesterAccountId: authenticatedAccountId,
});
});

describe("account_id override", () => {
const overrideAccountId = "770e8400-e29b-41d4-a716-446655440000";

it("passes the account_id override to validateAuthContext and resolves against it", async () => {
vi.mocked(validateAuthContext).mockResolvedValue({
accountId: overrideAccountId,
authToken: "test-token",
orgId: null,
});
vi.mocked(selectAccounts).mockResolvedValue([{ id: validArtistId }] as never);
vi.mocked(checkAccountArtistAccess).mockResolvedValue(true);

const request = new NextRequest(`http://localhost/api/artists/${validArtistId}`, {
method: "DELETE",
headers: {
Authorization: "Bearer test-token",
"Content-Type": "application/json",
},
body: JSON.stringify({ account_id: overrideAccountId }),
});

const result = await validateDeleteArtistRequest(request, validArtistId);

expect(validateAuthContext).toHaveBeenCalledWith(request, {
accountId: overrideAccountId,
});
expect(checkAccountArtistAccess).toHaveBeenCalledWith(overrideAccountId, validArtistId);
expect(result).toEqual({
artistId: validArtistId,
requesterAccountId: overrideAccountId,
});
});

it("returns 400 when account_id is not a valid UUID", async () => {
const request = new NextRequest(`http://localhost/api/artists/${validArtistId}`, {
method: "DELETE",
headers: {
Authorization: "Bearer test-token",
"Content-Type": "application/json",
},
body: JSON.stringify({ account_id: "not-a-uuid" }),
});

const result = await validateDeleteArtistRequest(request, validArtistId);

expect(result).toBeInstanceOf(NextResponse);
expect((result as NextResponse).status).toBe(400);
expect(validateAuthContext).not.toHaveBeenCalled();
});
});
});
27 changes: 26 additions & 1 deletion lib/artists/validateDeleteArtistRequest.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
import { NextRequest, NextResponse } from "next/server";
import { z } from "zod";
import { validateAccountParams } from "@/lib/accounts/validateAccountParams";
import { validateAuthContext } from "@/lib/auth/validateAuthContext";
import { getCorsHeaders } from "@/lib/networking/getCorsHeaders";
import { safeParseJson } from "@/lib/networking/safeParseJson";
import { checkAccountArtistAccess } from "@/lib/artists/checkAccountArtistAccess";
import { selectAccounts } from "@/lib/supabase/accounts/selectAccounts";

Expand All @@ -10,9 +12,17 @@ export interface DeleteArtistRequest {
requesterAccountId: string;
}

const deleteArtistBodySchema = z.object({
account_id: z.string().uuid("account_id must be a valid UUID").optional(),
});

/**
* Validates DELETE /api/artists/{id} path params and authentication.
*
* Accepts an optional `account_id` in the request body so a caller with access
* to multiple accounts (org members or Recoup admins) can delete an artist in
* another account's context. The override is authorized by `validateAuthContext`.
*
* @param request - The incoming request
* @param id - The artist account ID from the route
* @returns The validated artist ID plus requester context, or a NextResponse error
Expand All @@ -26,7 +36,22 @@ export async function validateDeleteArtistRequest(
return validatedParams;
}

const authResult = await validateAuthContext(request);
const body = await safeParseJson(request);
const bodyResult = deleteArtistBodySchema.safeParse(body);
if (!bodyResult.success) {
const firstError = bodyResult.error.issues[0];
return NextResponse.json(
{
status: "error",
error: firstError.message,
},
{ status: 400, headers: getCorsHeaders() },
);
}

const authResult = await validateAuthContext(request, {
accountId: bodyResult.data.account_id,
});
if (authResult instanceof NextResponse) {
return authResult;
}
Expand Down
Loading