stack/apps/e2e/tests/backend/endpoints/api/v1/send-email.test.ts
BilalG1 57ff5d3ce9
Some checks failed
all-good: Did all the other checks pass? / all-good (push) Has been cancelled
Ensure Prisma migrations are in sync with the schema / check_prisma_migrations (22.x) (push) Has been cancelled
DB migration compat / Check if migrations changed (push) Has been cancelled
Docker Server Build and Push / Docker Build and Push Server (push) Has been cancelled
Docker Server Build and Run / docker (push) Has been cancelled
Runs E2E API Tests (Local Emulator) / E2E Tests (Local Emulator, Node ${{ matrix.node-version }}) (22.x) (push) Has been cancelled
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (mock, 22.x) (push) Has been cancelled
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (prod, 22.x) (push) Has been cancelled
Runs E2E API Tests with custom port prefix / build (22.x) (push) Has been cancelled
Runs E2E Fallback Tests / E2E Fallback Tests (Node ${{ matrix.node-version }}) (22.x) (push) Has been cancelled
Lint & build / lint_and_build (24) (push) Has been cancelled
TOC Generator / TOC Generator (push) Has been cancelled
DB migration compat / Back-compat — Current branch migrations with ${{ needs.check-migrations-changed.outputs.base_branch }} branch code (push) Has been cancelled
DB migration compat / Forward-compat — Current branch code with ${{ needs.check-migrations-changed.outputs.base_branch }} branch migrations (push) Has been cancelled
DB migration compat / No migration changes (skipped) (push) Has been cancelled
feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481)
## Summary

**Stacked on [#1475](https://github.com/hexclave/stack-auth/pull/1475)**
(`cl/hexclave-pr1`, the invisible compatibility layer). Diff vs that
base = the actual PR 2 code.

This is **PR 2 of the Stack Auth → Hexclave rebrand: the visible flip**.
Old wire identifiers (cookies, request/response headers, Bearer prefix,
JWT issuers, MCP tool name) keep working indefinitely via PR 1's
dual-accept. This PR flips every user-visible surface — package names
taught in docs, SDK class names in code examples, dashboard setup
snippets, page titles, error messages, email content, CLI binary,
default base URLs, GitHub repo slug, contributor guidance — to the
Hexclave brand.

See [`RENAME-TO-HEXCLAVE.md`](./RENAME-TO-HEXCLAVE.md) → *"PR 2: Rebrand
to Hexclave (visible)"* for the full per-work-area spec.

## What's implemented (per the plan's PR 2 scope)

- **SDK base URLs** flipped: `defaultBaseUrl` and
`defaultAnalyticsBaseUrl` in
[common.ts](packages/template/src/lib/stack-app/apps/implementations/common.ts:127)
→ `https://api.hexclave.com` / `https://r.hexclave.com`. PR 1's
[`getHardcodedFallbackUrls`](packages/stack-shared/src/utils/urls.tsx:199)
table now keys on the Hexclave domain.

- **Domain inventory sweep** (16 subdomains from the plan): every
`api/app/docs/discord/demo/mcp/skill/feedback/test/preview/r/api2/api.staging/idp-jwk-audience/built-with.stack-auth.com`
reference in production code, docs-mintlify, examples, READMEs, and
contributor guidance flipped to `*.hexclave.com`. Carve-outs: PR 1's
intentional JWT issuer dual-accept table in
[tokens.tsx](apps/backend/src/lib/tokens.tsx), the legacy `./docs/`
folder, the `unified-docs-widget` allowlist (deliberately accepts both
during DNS transition), and `url-targets.ts` hosted-component default
(baked into existing customer deploys).

- **`@deprecated` JSDoc** on every `Stack*` public export
([packages/template/src/lib/stack-app/index.ts](packages/template/src/lib/stack-app/index.ts)
+ [packages/template/src/index.ts](packages/template/src/index.ts)) —
`StackClientApp`, `StackServerApp`, `StackAdminApp` + every
constructor/options/JSON type, `StackHandler`, `StackProvider`,
`StackTheme`, `useStackApp`, `defineStackConfig`, `StackConfig`.
Hexclave\* aliases are now canonical.

- **Runtime `console.warn`**
([packages/template/src/internal/deprecation-warning.ts](packages/template/src/internal/deprecation-warning.ts))
— once-per-process when the SDK is loaded from a `@stackframe/*`
artifact. Detection uses the existing
`STACK_COMPILE_TIME_CLIENT_PACKAGE_VERSION_SENTINEL` (rewritten at build
time to e.g. `js @stackframe/stack@2.8.92` or `js
@hexclave/next@1.0.0`); `@hexclave/*` mirror artifacts short-circuit the
warning.

- **Tier 3 data migration**: new idempotent SQL migration
[`20260523000000_rename_internal_project_to_hexclave`](apps/backend/prisma/migrations/20260523000000_rename_internal_project_to_hexclave/migration.sql)
— updates the internal Project `displayName` 'Stack Dashboard' →
'Hexclave Dashboard' and `description` only if both still hold the
pre-rebrand defaults. Operator-renamed projects untouched, missing row
no-ops, re-runs are no-ops. [`seed.ts`](apps/backend/prisma/seed.ts:87)
default flipped. `getSharedEmailConfig("Stack Auth")` → `("Hexclave")`.

- **Tier 4 brand strings** (mechanical sweep, ~340 files):
- Page + OpenAPI titles (Hexclave API / Dashboard / REST API / Webhooks
API / Documentation). OpenAPI `info.description` documents
`X-Hexclave-*` headers as canonical with compat note on `X-Stack-*`.
- `HexclaveAssertionError` message text
([errors.tsx:71](packages/stack-shared/src/utils/errors.tsx:71)) — "an
error in Stack." → "an error in Hexclave."
- Known-error message templates
([known-errors.tsx](packages/stack-shared/src/known-errors.tsx)) flipped
to lead with `x-hexclave-*` + the new `docs.hexclave.com` URL; legacy
`x-stack-*` mentioned as compat aliases. **25 e2e test files updated in
lockstep**.
- Email content: failed-emails-digest body, sendTestEmail recipient (now
`sent-with-hexclave.com`), test-email-recipient default.
  - `CHANGELOG.md` title → "Hexclave Changelog".
- `AGENTS.md` env var convention: new vars prefix `HEXCLAVE_` /
`NEXT_PUBLIC_HEXCLAVE_` for Category A/B; legacy `STACK_*` explicitly
noted as accepted via PR 1's dual-read.

- **CLI / init wizard**:
- Every dashboard setup snippet, init-stack template, and docs-mintlify
page teaches `npx @hexclave/cli@latest init` (was
`@stackframe/stack-cli`).
[setup-page.tsx](apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/(overview)/setup-page.tsx)
+
[link-existing-onboarding](apps/dashboard/src/app/(main)/(protected)/(outside-dashboard)/new-project/page-client-parts/link-existing-onboarding.tsx).
- [init-stack](packages/init-stack/src/index.ts:634)
`STACK_*_INSTALL_PACKAGE_NAME_OVERRIDE` defaults flipped to
`@hexclave/*`.
- Generated `stack/client.ts` / `stack/server.ts` import from
`@hexclave/next` and reference `HexclaveClientApp` /
`HexclaveServerApp`.
- Internal `StackAuthKeys` dashboard component renamed to
`HexclaveKeys`.

- **docs-mintlify rewrite** (legacy `./docs/` intentionally untouched
per scoping decision):
- **78 MDX files swept**.
`@stackframe/{react,stack,js,tanstack-start,...}` →
`@hexclave/{react,stack,js,...}` in install snippets and code blocks;
`Stack*` SDK class names → `Hexclave*` in all code examples; 'Stack
Auth' brand phrase → 'Hexclave'.
- `openapi/{server,admin,client,webhooks}.json` titles → 'Hexclave REST
API' / 'Hexclave Webhooks API'.

- **Generators flipped before regeneration**:
-
[`packages/stack-shared/src/helpers/init-prompt.ts`](packages/stack-shared/src/helpers/init-prompt.ts),
[`/ai/prompts.ts`](packages/stack-shared/src/ai/prompts.ts),
[`apps/backend/src/lib/ai/prompts.ts`](apps/backend/src/lib/ai/prompts.ts),
[`apps/backend/src/lib/ai/tools/create-email-{template,draft}.ts`](apps/backend/src/lib/ai/tools/create-email-template.ts),
[`apps/skills/src/app/route.ts`](apps/skills/src/app/route.ts) (taught
MCP tool → `ask_hexclave` with compat note; CLI binary teach →
`hexclave`),
[`docs-mintlify/snippets/home-prompt-island.jsx`](docs-mintlify/snippets/home-prompt-island.jsx),
[`packages/template/README.md`](packages/template/README.md) +
integrations/convex/component/README.md.
  - `generate-sdks` propagated changes to `packages/{react,stack,js}`.

- **OpenAPI dual-documentation**:
[`apps/backend/src/app/api/latest/route.ts`](apps/backend/src/app/api/latest/route.ts)
now lists `X-Hexclave-*` headers as primary documented schemas with
`X-Stack-*` duplicates marked `.optional()` (both accepted at runtime by
PR 1's normalize-at-proxy shim).

- **`@stackframe/emails` virtual module**: dual-aliased to
`@hexclave/emails` at the bundler boundary
([email-rendering.tsx:89](apps/backend/src/lib/email-rendering.tsx:89)).
Stored email templates continue to import from either name; new
AI-generated templates and the system prompt teach `@hexclave/emails`.

- **Tier 2 mirror-publish wiring** (new this PR, lays the groundwork for
`@hexclave/*` first publish):
-
[`scripts/rewrite-packages-to-hexclave.ts`](scripts/rewrite-packages-to-hexclave.ts)
— rewrites 9 publishable `@stackframe/*` → `@hexclave/*` `package.json`
files (reads `HEXCLAVE_VERSION` env or `--version=` flag), pins
cross-deps to the shared `@hexclave` version, registers `hexclave` bin
alongside `stack` for `@hexclave/cli`.
-
[`.github/workflows/npm-publish.yaml`](.github/workflows/npm-publish.yaml)
appended with rewrite-then-republish step. `pnpm publish` skips
already-on-npm versions so reruns are safe.

- **Sender email domain**: `noreply@stackframe.co` →
`noreply@sent-with-hexclave.com` (the dedicated transactional-sender
domain split per the plan, to isolate bulk deliverability from
`hexclave.com` reputation); `security@` / `team@stack-auth.com` inbound
mailboxes → `@hexclave.com`.

- **Self-host docs**: docker network / container names in the bash
examples flipped from `stack-auth` to `hexclave` (`hexclave-postgres`,
`hexclave-clickhouse`, `hexclave.env`). The docker image tag
`stackauth/server:latest` stays per the plan's locked decision.

- **GitHub repo slug**: `hexclave/stack-auth` → `hexclave/hexclave` in
every `package.json` `repository` field, README link, CHANGELOG
raw-asset URL.

## Carve-outs (deliberately untouched)

-
**[`apps/backend/src/lib/tokens.tsx`](apps/backend/src/lib/tokens.tsx)**
JWT issuer dual-accept table — PR 1 intentional infrastructure, kept
indefinitely.
- **Legacy `./docs/` folder** — per scoping decision (only
`docs-mintlify/` rewritten).
- **`unified-docs-widget` hostname allowlist** — accepts both
`.hexclave.com` (canonical) and `.stack-auth.com` (transition window)
for DNS rollout.
- **`url-targets.ts`** hosted-domain default
`.built-with-stack-auth.com` — wire identifier baked into existing
customer deploys; indefinite read-fallback.
- **Binary visual assets** (logos, favicons, OG images, README
screenshots) — out of scope for this PR. Need design work; tracked
separately.

## Verification

- **`pnpm typecheck`** on
`packages/{template,stack-shared,react,stack,js}` + `apps/dashboard`:
**all green**. The remaining backend / e-commerce-demo typecheck errors
are pre-existing (Prisma codegen output +
`./generated/api-versions.json` not present in fresh worktrees without
`pnpm run codegen-prisma` + a live DB) and unrelated to this diff.
- **`pnpm lint`** on the same 6 packages: all green.
- **Final grep** for residual `Stack Auth` / `stack-auth.com` /
`@stackframe/stack-cli@latest` references: zero outside the intentional
carve-outs above.
- **25 e2e test files updated in lockstep** with the known-error message
changes (asserted strings flipped to match the new x-hexclave-* +
compat-note messages).

## Deploy blockers (ops sequencing before this rebrand goes live)

This PR is code-complete, but the rebrand's visible surfaces (SDK
default URLs, dashboard links, npm READMEs, REST error messages, runtime
deprecation warning) all point at `*.hexclave.com` / `@hexclave/*`
resources that don't exist yet. None of these are fixable from a PR —
they're ops/registrar/npm work that has to be sequenced before merging
this to a release tag.

Suggested ordering, hardest blockers first:

### Tier 1 — required before customer-facing deploy (everything below
this line *will visibly break customers on day 1* if skipped)

1. **DNS + TLS for `api.hexclave.com` + `api1./api2.hexclave.com`** →
must point at the same backend that serves `api.stack-auth.com` (or a
backend that mirrors PR 1's dual-accept). The SDK's new `defaultBaseUrl`
is `https://api.hexclave.com`; every customer that relied on the old
default and upgrades to a post-PR2 SDK build sends API requests here.
Until this resolves, every default-config customer's API call NXDOMAINs.
2. **DNS for `app.hexclave.com`** → the dashboard. Referenced in the
SDK's default-error messages ("Please create a project on the Hexclave
dashboard at https://app.hexclave.com"), the init-stack flow's
`wizard-congrats` redirect, and the OAuth dashboard handoff.
3. **DNS for `docs.hexclave.com`** + Mintlify deploy → the SDK runtime
deprecation warning (`https://docs.hexclave.com/migration`), every
README, every "Learn more" link in the dashboard, and every REST API
error body (`/api/overview#authentication`) points here. The MDX is in
this PR; the docs build target needs DNS.
4. **DNS for `mcp.hexclave.com`** → the MCP server endpoint that every
taught agent integration (`claude mcp add ...`, `cursor`, `codex`,
`vscode`) registers. Until this resolves, every `npx
@hexclave/cli@latest init` MCP-registration step fails.
5. **Reserve the `@hexclave` npm scope + set repo variable
`HEXCLAVE_VERSION`** → the mirror-publish step in
`.github/workflows/npm-publish.yaml` is gated on this variable. Without
it, the entire taught onboarding command `npx @hexclave/cli@latest init`
404s from the npm registry, *and* every README that says "install
`@hexclave/next`" leads to install failure. Pick the initial version
intentionally (`1.0.0` or aligned to `@stackframe/stack`); don't accept
a silent default.

### Tier 2 — required before announcing the rebrand publicly (lookalike
or low-traffic surfaces, but visibly broken)

6. **DNS for `r.hexclave.com`** → the analytics beacon
`defaultAnalyticsBaseUrl`. Silent failure if missing (analytics drops),
but should land alongside Tier 1.
7. **Register `sent-with-hexclave.com` + full email auth (SPF / DKIM /
DMARC)** → the new default sender domain for shared-sender transactional
emails. Without it the dashboard "send test email" path emits bounces,
and shared-sender flows (`getSharedEmailConfig("Hexclave")`) deliver to
spam at best.
8. **MX + SPF / DMARC for `hexclave.com`** → `team@hexclave.com` and
`security@hexclave.com` mailboxes. The security disclosure mailbox is
referenced in [`.github/SECURITY.md`](.github/SECURITY.md);
`team@hexclave.com` is the actual recipient of internal feedback emails
sent at runtime by
[`apps/backend/src/lib/internal-feedback-emails.tsx`](apps/backend/src/lib/internal-feedback-emails.tsx).
Today, every runtime feedback email bounces.
9. **DNS for `skill.hexclave.com`** → the canonical AI-agent skill fetch
URL (the agent bootstrap pivot). Without it, the entire "agent downloads
`SKILL.md` from a known URL" flow taught in
[`packages/stack-shared/src/helpers/init-prompt.ts`](packages/stack-shared/src/helpers/init-prompt.ts)
fails.
10. **Create `github.com/hexclave/hexclave` as a public repo** (even as
a redirect to `hexclave/stack-auth`) **OR** rewrite every `package.json`
`"repository"` field + dashboard footer "view on GitHub" link to point
at `hexclave/stack-auth` (which already exists). Currently every npm
package page's "Repository" link is dead, and the dashboard's GitHub
button + dev-tool repo link are dead.

### Tier 3 — broken but low-visibility / low-traffic

11. **DNS for `discord.hexclave.com`** → Discord invite redirect, used
in every README's chip and the dashboard footer.
12. **DNS for `demo.hexclave.com`** → " Demo" badge in every npm
package README. Broken-image badge on the package page.
13. **DNS + TLS for `built-with-hexclave.com`** → optional
hosted-handler domain (the default reverted to
`.built-with-stack-auth.com` in this PR's carve-outs, so this only
matters for projects that manually flip).

## Other follow-ups (not deploy-blocking)

- **E2E snapshot regen across the full suite** for the dual-emitted
`x-hexclave-*` response headers (PR 1 follow-up; `vitest -u` in CI
absorbs).
- **Binary visual assets** — logos, favicons, OG images, README
screenshots; need design pass.
- **Backend OpenAPI fumadocs regen** in CI flow — the JSON files in
`docs-mintlify/openapi/` are committed but regen runs in CI. Verify the
workflow that does this still works against the post-PR2 source.
- **Backend typecheck infra debt** — needs `codegen-prisma` +
`codegen-route-info` to clear; pre-existing, unaffected by this PR.

## Test plan

- [ ] CI runs full e2e suite (with `vitest -u` to absorb residual
snapshot deltas, then committed back).
- [ ] Spot-check: new `@hexclave/cli init` (once published) generates
`hexclave.config.ts` and works against a fresh project.
- [ ] Spot-check: existing customer with `@stackframe/stack` import sees
the once-per-process `console.warn` recommending `@hexclave/next` on SDK
init.
- [ ] Manual: dashboard setup page renders the `npx @hexclave/cli@latest
init` snippet and the `x-hexclave-publishable-client-key` API header in
the curl example.
- [ ] Manual: a fresh `pnpm run prisma migrate` against a clean DB sets
the internal project displayName to 'Hexclave Dashboard'.

---------

Co-authored-by: Konstantin Wohlwend <n2d4xc@gmail.com>
2026-05-26 19:18:20 -07:00

747 lines
23 KiB
TypeScript

import { randomUUID } from "crypto";
import { describe } from "vitest";
import { it } from "../../../../helpers";
import { withPortPrefix } from "../../../../helpers/ports";
import { Auth, Project, User, backendContext, bumpEmailAddress, niceBackendFetch } from "../../../backend-helpers";
const testEmailConfig = {
type: "standard",
host: "localhost",
port: Number(withPortPrefix("29")),
username: "test",
password: "test",
sender_name: "Test Project",
sender_email: "test@example.com",
} as const;
describe("invalid requests", () => {
it("should return 401 when invalid access type is provided", async ({ expect }) => {
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "client",
body: {
user_ids: [randomUUID()],
html: "<p>Test email</p>",
subject: "Test Subject",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 401,
"body": {
"code": "INSUFFICIENT_ACCESS_TYPE",
"details": {
"actual_access_type": "client",
"allowed_access_types": [
"server",
"admin",
],
},
"error": "The x-hexclave-access-type header must be 'server' or 'admin', but was 'client'. (The legacy x-stack-access-type header is also accepted.)",
},
"headers": Headers {
"x-stack-known-error": "INSUFFICIENT_ACCESS_TYPE",
<some fields may have been hidden>,
},
}
`);
});
it("should return 200 with user not found error in results", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Successful Email Project",
config: {
email_config: testEmailConfig,
},
});
const user = await User.create();
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [user.userId],
html: "<p>Test email</p>",
subject: "Test Subject",
notification_category_name: "Marketing",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 200,
"body": { "results": [{ "user_id": "<stripped UUID>" }] },
"headers": Headers { <some fields may have been hidden> },
}
`);
});
it("should return 400 when using shared email config", async ({ expect }) => {
await Project.createAndSwitch();
const createUserResponse = await niceBackendFetch("/api/v1/users", {
method: "POST",
accessType: "server",
body: {
primary_email: "test@example.com",
},
});
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [createUserResponse.body.id],
html: "<p>Test email</p>",
subject: "Test Subject",
notification_category_name: "Marketing",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 400,
"body": {
"code": "REQUIRES_CUSTOM_EMAIL_SERVER",
"error": "This action requires a custom SMTP server. Please edit your email server configuration and try again.",
},
"headers": Headers {
"x-stack-known-error": "REQUIRES_CUSTOM_EMAIL_SERVER",
<some fields may have been hidden>,
},
}
`);
});
it("should return 400 when invalid notification category name is provided", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Successful Email Project",
config: {
email_config: testEmailConfig,
},
});
const createUserResponse = await niceBackendFetch("/api/v1/users", {
method: "POST",
accessType: "server",
body: {
primary_email: "test@example.com",
},
});
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [createUserResponse.body.id],
html: "<p>Test email</p>",
subject: "Test Subject",
notification_category_name: "Invalid",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 400,
"body": "Notification category not found with given name",
"headers": Headers { <some fields may have been hidden> },
}
`);
});
});
it("should return 200 with disabled notifications error in results when user has disabled notifications for the category", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Successful Email Project",
config: {
email_config: testEmailConfig,
},
});
const user = await User.create();
// Disable notifications for Marketing category
const disableNotificationsResponse = await niceBackendFetch(`/api/v1/emails/notification-preference/${user.userId}/4f6f8873-3d04-46bd-8bef-18338b1a1b4c`, {
method: "PATCH",
accessType: "server",
body: {
enabled: false,
},
});
expect(disableNotificationsResponse).toMatchInlineSnapshot(`
NiceResponse {
"status": 200,
"body": {
"can_disable": true,
"enabled": false,
"notification_category_id": "<stripped UUID>",
"notification_category_name": "Marketing",
},
"headers": Headers { <some fields may have been hidden> },
}
`);
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [user.userId],
html: "<p>Test email</p>",
subject: "Test Subject",
notification_category_name: "Marketing",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 200,
"body": { "results": [{ "user_id": "<stripped UUID>" }] },
"headers": Headers { <some fields may have been hidden> },
}
`);
});
it("should return 200 with no primary email error in results when user does not have a primary email", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Successful Email Project",
config: {
email_config: testEmailConfig,
},
});
const createUserResponse = await niceBackendFetch("/api/v1/users", {
method: "POST",
accessType: "server",
body: {},
});
expect(createUserResponse.status).toBe(201);
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [createUserResponse.body.id],
html: "<p>Test email</p>",
subject: "Test Subject",
notification_category_name: "Marketing",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 200,
"body": { "results": [{ "user_id": "<stripped UUID>" }] },
"headers": Headers { <some fields may have been hidden> },
}
`);
});
it("should return 200 and send email successfully", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Successful Email Project",
config: {
email_config: testEmailConfig,
},
});
const { userId } = await Auth.Password.signUpWithEmail();
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [userId],
html: "<h1>Test Email</h1><p>This is a test email with HTML content.</p>",
subject: "Custom Test Email Subject",
notification_category_name: "Marketing",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 200,
"body": { "results": [{ "user_id": "<stripped UUID>" }] },
"headers": Headers { <some fields may have been hidden> },
}
`);
// Verify the email was actually sent by checking the mailbox
const messages = await backendContext.value.mailbox.waitForMessagesWithSubject("Custom Test Email Subject");
expect(messages).toMatchInlineSnapshot(`
[
MailboxMessage {
"attachments": [],
"body": {
"html": "http://localhost:<$NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX>02/api/v1/emails/unsubscribe-link?code=%3Cstripped+query+param%3E",
"text": "http://localhost:<$NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX>02/api/v1/emails/unsubscribe-link?code=%3Cstripped+query+param%3E",
},
"from": "Test Project <test@example.com>",
"subject": "Custom Test Email Subject",
"to": ["<default-mailbox--<stripped UUID>@stack-generated.example.com>"],
<some fields may have been hidden>,
},
]
`);
});
it("should handle user that does not exist", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Mixed Results Project",
config: {
email_config: testEmailConfig,
},
});
const userWithDisabledNotifications = await User.create();
await niceBackendFetch(`/api/v1/emails/notification-preference/${userWithDisabledNotifications.userId}/4f6f8873-3d04-46bd-8bef-18338b1a1b4c`, {
method: "PATCH",
accessType: "server",
body: {
enabled: false,
},
});
const nonExistentUserId = randomUUID();
const successfulUser = await User.create();
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [userWithDisabledNotifications.userId, nonExistentUserId, successfulUser.userId],
html: "<h1>Bulk Test Email</h1><p>This is a bulk test email.</p>",
subject: "Bulk Test Email Subject",
notification_category_name: "Marketing",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 400,
"body": {
"code": "USER_ID_DOES_NOT_EXIST",
"details": { "user_id": "<stripped UUID>" },
"error": "The given user with the ID <stripped UUID> does not exist.",
},
"headers": Headers {
"x-stack-known-error": "USER_ID_DOES_NOT_EXIST",
<some fields may have been hidden>,
},
}
`);
});
it("should send email using a draft_id and mark draft as sent", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Send Draft Project",
config: {
email_config: {
type: "standard",
host: "localhost",
port: Number(withPortPrefix("29")),
username: "test",
password: "test",
sender_name: "Test Project",
sender_email: "test@example.com",
},
},
});
const { userId } = await Auth.Password.signUpWithEmail();
const tsxSource = `import { Container } from "@react-email/components";
import { Subject, NotificationCategory, Props } from "@stackframe/emails";
export function EmailTemplate({ user, project }: Props) {
return (
<Container>
<Subject value="Draft Based Subject" />
<NotificationCategory value="Marketing" />
<div>Hello {user.displayName}</div>
</Container>
);
}`;
const createDraftRes = await niceBackendFetch("/api/v1/internal/email-drafts", {
method: "POST",
accessType: "admin",
body: {
display_name: "Welcome Draft",
theme_id: false,
tsx_source: tsxSource,
},
});
expect(createDraftRes.status).toBe(200);
const draftId = createDraftRes.body.id as string;
const sendRes = await niceBackendFetch("/api/v1/emails/send-email", {
method: "POST",
accessType: "server",
body: {
user_ids: [userId],
draft_id: draftId,
subject: "Overridden Subject", // still allow explicit subject
notification_category_name: "Marketing",
},
});
expect(sendRes.status).toBe(200);
expect(sendRes.body.results).toHaveLength(1);
await backendContext.value.mailbox.waitForMessagesWithSubject("Overridden Subject");
const getDraftRes = await niceBackendFetch(`/api/v1/internal/email-drafts/${draftId}`, {
method: "GET",
accessType: "admin",
});
expect(getDraftRes.status).toBe(200);
expect(getDraftRes.body.sent_at_millis).toEqual(expect.any(Number));
});
describe("validation errors", () => {
it("should return 400 when neither html nor template_id is provided", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Validation Project",
config: {
email_config: testEmailConfig,
},
});
const user = await User.create();
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [user.userId],
subject: "Test Subject",
notification_category_name: "Marketing",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 400,
"body": {
"code": "SCHEMA_ERROR",
"details": {
"message": deindent\`
Request validation failed on POST /api/v1/emails/send-email:
- body is not matched by any of the provided schemas:
Schema 0:
body.html must be defined
Schema 1:
body.template_id must be defined
Schema 2:
body.draft_id must be defined
\`,
},
"error": deindent\`
Request validation failed on POST /api/v1/emails/send-email:
- body is not matched by any of the provided schemas:
Schema 0:
body.html must be defined
Schema 1:
body.template_id must be defined
Schema 2:
body.draft_id must be defined
\`,
},
"headers": Headers {
"x-stack-known-error": "SCHEMA_ERROR",
<some fields may have been hidden>,
},
}
`);
});
it("should return 200 when empty user_ids array is provided", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Empty UserIds Project",
config: {
email_config: testEmailConfig,
},
});
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [],
html: "<p>Test email</p>",
subject: "Test Subject",
notification_category_name: "Marketing",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 200,
"body": { "results": [] },
"headers": Headers { <some fields may have been hidden> },
}
`);
});
});
describe("all users", () => {
it("should return 400 when both user_ids and all_users are provided", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Both user_ids and all_users",
config: {
email_config: testEmailConfig,
},
});
const user = await User.create();
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [user.userId],
all_users: true,
html: "<p>Test email</p>",
subject: "Test Subject",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 400,
"body": {
"code": "SCHEMA_ERROR",
"details": { "message": "Exactly one of user_ids or all_users must be provided" },
"error": "Exactly one of user_ids or all_users must be provided",
},
"headers": Headers {
"x-stack-known-error": "SCHEMA_ERROR",
<some fields may have been hidden>,
},
}
`);
});
it("should send one email per user when all_users is true", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test All Users Email Project",
config: {
email_config: testEmailConfig,
},
});
const mailbox1 = await bumpEmailAddress();
await User.create({ primary_email: mailbox1.emailAddress, primary_email_verified: true });
const mailbox2 = await bumpEmailAddress();
await User.create({ primary_email: mailbox2.emailAddress, primary_email_verified: true });
const mailbox3 = await bumpEmailAddress();
await User.create({ primary_email: mailbox3.emailAddress, primary_email_verified: true });
const subject = "Send to All Users Test Subject";
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
all_users: true,
html: "<p>Broadcast email to all users</p>",
subject,
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 200,
"body": {
"results": [
{ "user_id": "<stripped UUID>" },
{ "user_id": "<stripped UUID>" },
{ "user_id": "<stripped UUID>" },
],
},
"headers": Headers { <some fields may have been hidden> },
}
`);
await mailbox1.waitForMessagesWithSubject(subject);
await mailbox2.waitForMessagesWithSubject(subject);
await mailbox3.waitForMessagesWithSubject(subject);
});
});
describe("template-based emails", () => {
it("should return 400 when invalid template_id is provided", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Invalid Template Project",
config: {
email_config: testEmailConfig,
},
});
const user = await User.create();
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [user.userId],
template_id: randomUUID(),
variables: { name: "Test User" },
notification_category_name: "Marketing",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 400,
"body": "No template found with given template_id",
"headers": Headers { <some fields may have been hidden> },
}
`);
});
it("should return 400 when invalid theme_id is provided", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Invalid Theme Project",
config: {
email_config: testEmailConfig,
},
});
const user = await User.create();
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [user.userId],
html: "<p>Test email with invalid theme</p>",
subject: "Test Subject",
theme_id: "non-existent-theme",
notification_category_name: "Marketing",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 400,
"body": {
"code": "SCHEMA_ERROR",
"details": {
"message": deindent\`
Request validation failed on POST /api/v1/emails/send-email:
- body is not matched by any of the provided schemas:
Schema 0:
body.theme_id is invalid
Schema 1:
body.template_id must be defined
body.theme_id is invalid
body contains unknown properties: html
body contains unknown properties: html
Schema 2:
body.draft_id must be defined
body.theme_id is invalid
body contains unknown properties: html
body contains unknown properties: html
\`,
},
"error": deindent\`
Request validation failed on POST /api/v1/emails/send-email:
- body is not matched by any of the provided schemas:
Schema 0:
body.theme_id is invalid
Schema 1:
body.template_id must be defined
body.theme_id is invalid
body contains unknown properties: html
body contains unknown properties: html
Schema 2:
body.draft_id must be defined
body.theme_id is invalid
body contains unknown properties: html
body contains unknown properties: html
\`,
},
"headers": Headers {
"x-stack-known-error": "SCHEMA_ERROR",
<some fields may have been hidden>,
},
}
`);
});
});
describe("notification categories", () => {
it("should return 200 and send email successfully with Transactional category", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Transactional Project",
config: {
email_config: testEmailConfig,
},
});
const { userId } = await Auth.Password.signUpWithEmail();
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [userId],
html: "<p>Transactional email</p>",
subject: "Transactional Test Subject",
notification_category_name: "Transactional",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 200,
"body": { "results": [{ "user_id": "<stripped UUID>" }] },
"headers": Headers { <some fields may have been hidden> },
}
`);
// Verify the email was sent
await backendContext.value.mailbox.waitForMessagesWithSubject("Transactional Test Subject");
});
it("should default to Transactional category when notification_category_name is not provided", async ({ expect }) => {
await Project.createAndSwitch({
display_name: "Test Default Category Project",
config: {
email_config: testEmailConfig,
},
});
const { userId } = await Auth.Password.signUpWithEmail();
const response = await niceBackendFetch(
"/api/v1/emails/send-email",
{
method: "POST",
accessType: "server",
body: {
user_ids: [userId],
html: "<p>Default category email</p>",
subject: "Default Category Test Subject",
}
}
);
expect(response).toMatchInlineSnapshot(`
NiceResponse {
"status": 200,
"body": { "results": [{ "user_id": "<stripped UUID>" }] },
"headers": Headers { <some fields may have been hidden> },
}
`);
// Verify the email was sent
await backendContext.value.mailbox.waitForMessagesWithSubject("Default Category Test Subject");
});
});