Test the API-key lifecycle and webhook CRUD endpoints
Description
The API-key endpoints (POST/GET/DELETE /api/v1/api-keys) and webhook endpoints (POST/GET/PATCH/DELETE /api/v1/webhooks, plus /:id/test) in src/index.ts have zero tests in src/health.test.ts. These manage credentials and event subscriptions, so untested behaviour is risky. This issue adds full coverage.
Requirements and context
- Repository scope:
Agentpay-Org/Agentpay-backend only.
- Cover api-key create (201 with
apk_ prefix), list (prefix-only, never the secret), and revoke-by-prefix (204 and 404).
- Cover webhook register (url + events validation, 201), list, patch (partial url/events updates), delete (204/404), and
/:id/test (404 for unknown, simulated delivery for known).
- Assert validation failures return
400 invalid_request with a requestId, including the http(s) URL regex and 2048-char limit.
- Assert the api-key list response never contains the full key.
Suggested execution
- Fork the repo and create a branch
git checkout -b test/testing-13-apikeys-webhooks
- Implement changes
- Write comprehensive tests in: new
src/apikeys-webhooks.test.ts using supertest.
- Write code in: no production change expected unless a real bug surfaces.
- Add documentation: none beyond test descriptions.
- Add clear test titles.
- Validate security assumptions: confirm secret is never echoed in list responses or logs.
- Test and commit
Test and commit
- Run
npm run build, npm test, and npm run lint.
- Cover edge cases: revoke non-existent prefix, webhook bad URL, empty events array, patch with neither field.
- Include the full
npm test output in the PR description.
Example commit message
test: cover api-key lifecycle and webhook crud endpoints
Guidelines
- Minimum 95 percent test coverage for impacted modules.
- Clear, reviewer-focused documentation.
- Timeframe: 96 hours.
Community & contribution rewards
- 💬 Join the AgentPay community on Discord for questions, reviews, and faster merges: https://discord.gg/eXvRKkgcv
- ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.
Test the API-key lifecycle and webhook CRUD endpoints
Description
The API-key endpoints (
POST/GET/DELETE /api/v1/api-keys) and webhook endpoints (POST/GET/PATCH/DELETE /api/v1/webhooks, plus/:id/test) insrc/index.tshave zero tests insrc/health.test.ts. These manage credentials and event subscriptions, so untested behaviour is risky. This issue adds full coverage.Requirements and context
Agentpay-Org/Agentpay-backendonly.apk_prefix), list (prefix-only, never the secret), and revoke-by-prefix (204 and 404)./:id/test(404 for unknown, simulated delivery for known).400 invalid_requestwith arequestId, including thehttp(s)URL regex and 2048-char limit.Suggested execution
git checkout -b test/testing-13-apikeys-webhookssrc/apikeys-webhooks.test.tsusingsupertest.Test and commit
npm run build,npm test, andnpm run lint.npm testoutput in the PR description.Example commit message
test: cover api-key lifecycle and webhook crud endpointsGuidelines
Community & contribution rewards